About the author

Kathryn is a fractional GC with extensive experience in the financial services, fintech and payments technology sectors.

She is an Australian qualified lawyer and supports her clients globally as part of Clearlake’s international counsel service.

This article explores the key financial regulations governing the day-to-day operations of payments businesses.

We focus on the core themes of compliance and we highlight specific requirements within each jurisdiction.

Clearlake Law provides an outsourced legal department specialised in supporting organisations in the payments industry across the UK, New Zealand, and Australia.

Safeguarding client funds

United Kingdom

Amongst the UK’s key financial regulations are the provisions for safeguarding client funds.

These provisions require payment and electronic money institutions to segregate customer funds from their own operational funds to protect client money in the event of insolvency.

The UK’s safeguarding regulations are robust and among the strictest globally.

Payments businesses must maintain accurate records and have effective systems and controls in place to ensure compliance with safeguarding obligations.

Firms are expected to demonstrate compliance through appropriate governance and reporting, which may involve the appointment of an independent auditor.

Payments firms are also required to provide regular reports to the Financial Conduct Authority (FCA) detailing how they safeguard customer funds, including notifying the FCA if they are unable to meet any safeguarding requirements.

Australia

In Australia, the Payment Systems (Regulation) Act mandates that payments businesses maintain sufficient capital reserves to protect against financial instability.

Larger providers regulated by the Australian Prudential Regulation Authority (APRA) are also required to conduct regular financial stress tests.

Unlike the UK, where segregation of funds is paramount, Australia focuses on financial resilience through mandatory capital adequacy ratios and ongoing liquidity assessments.

New Zealand

New Zealand’s key financial regulations relating to safeguarding are found in the Financial Service Providers (Registration and Dispute Resolution) Act.

These provisions require payments businesses to register and participate in a dispute resolution scheme accessible to their customers.

New Zealand safeguarding obligations are less prescriptive than in the UK and Australia. However, businesses must demonstrate compliance with broad risk management frameworks.

The Reserve Bank of New Zealand is the body responsible for overseeing client fund safeguarding and, more generally, for ensuring financial system stability.

Transaction reporting requirements

United Kingdom

The UK’s reporting requirements, enforced by the FCA, demand that payments businesses submit detailed transaction reports on a regular basis. These reports must include information on transaction values, counterparties and locations.

Additionally, businesses are required to flag unusual or high-risk activities in their reporting, contributing to the UK’s broader anti-money laundering (AML) efforts.

Non-compliance can lead to fines, reputational damage and even regulatory intervention.

Australia: Real-time reporting to regulators

Australian payments businesses are required to provide real-time transaction reporting to the Australian Transaction Reports and Analysis Centre (AUSTRAC).

This involves not only flagging suspicious transactions but also reporting cash transactions above AUD 10,000.

Businesses must submit these reports electronically using AUSTRAC’s online system, ensuring timely and accurate data submission.

Failure to comply can result in significant fines and regulatory action. This is particularly critical for anti-money laundering (AML) compliance, as businesses must flag suspicious transactions immediately.

New Zealand: Periodic reporting obligations

New Zealand’s reporting framework is less frequent but requires high accuracy.

Payments businesses must submit transaction data to the Financial Markets Authority (FMA) and Reserve Bank at specified intervals, with a focus on ensuring compliance with AML obligations.

Businesses are also expected to maintain detailed records for audits and investigations, which the authorities can request at any time.

Anti-money laundering (AML) compliance

United Kingdom

The UK’s Money Laundering Regulations 2017 require payments businesses to implement stringent AML measures.

These requirements include verifying customer identities, conducting enhanced due diligence for high-risk clients, and maintaining records for at least five years.

Payments businesses must also file Suspicious Activity Reports (SARs) with the National Crime Agency (NCA) and are encouraged to use automated monitoring systems to detect unusual transactions efficiently.

Australia: AUSTRAC oversight

Australia’s AML and Counter-Terrorism Financing Act 2006, enforced by AUSTRAC, imposes strict obligations on payments businesses.

They must implement detailed compliance programs that include customer identity verification, real-time transaction monitoring, and regular staff training.

Enhanced due diligence is mandatory for transactions involving high-risk countries or industries.

Non-compliance can lead to significant financial penalties and reputational damage.

New Zealand: Proportionate risk-based approach

New Zealand’s AML and Countering Financing of Terrorism Act 2009 takes a pragmatic approach, requiring payments businesses to tailor their compliance measures to the assessed level of risk.

Key obligations include customer due diligence, ongoing transaction monitoring, and filing Suspicious Transaction Reports (STRs) with the Financial Intelligence Unit (FIU).

The flexibility in the framework allows businesses to focus resources on higher-risk areas while ensuring overall compliance.

For more on the ins and outs of AML / KYC regulations see our post on AML / KYC compliance requirements for payments business in the UK, Australia & New Zealand.

Operational resilience and cybersecurity

United Kingdom

The FCA mandates that payments businesses in the UK maintain robust business continuity and disaster recovery plans.

These plans must account for various scenarios, such as cyberattacks and system failures, to ensure minimal disruption to services.

Additionally, regular stress testing and penetration testing are required to evaluate the resilience of critical systems.

Australia

Australia’s Prudential Standard CPS 234, enforced by APRA, sets out strict requirements for information security in payments businesses.

Organisations must implement advanced security measures, such as multi-factor authentication and real-time threat monitoring.

Regular audits are required to identify vulnerabilities, and any significant data breaches must be reported promptly to APRA and affected individuals.

New Zealand

New Zealand’s regulatory framework places a strong emphasis on protecting personal data.

Payments businesses must ensure compliance with the Privacy Act 2020 by implementing secure systems and reporting breaches that pose a risk of serious harm.

See this post for an overview of the personal data compliance risks for organisations in the UK, New Zealand and Australia payments sectors.

The value of expert guidance

Navigating these key financial regulations requires not only a deep understanding of the rules but also the ability to implement practical solutions tailored to each jurisdiction.

By partnering with experienced legal counsel and regulatory consultants, payments businesses can proactively address compliance risks, allowing them to focus on growth and innovation.

Thank you

Hopefully, that was a useful run through of some of the key financial regulations governing payments businesses in the UK, Australia, and New Zealand.

For additional guidance on risks facing organisations in the fintech sector across each of these three jurisdiction, see our post on the top 5 risks for fintech SMEs expanding in the UK, Australia and New Zealand.

About Clearlake Law

Clearlake Law provides a sector-specialist outsourced legal department for your business.

We support organisations in the payments industry operating across the UK, New Zealand, and Australia.

Our experienced, industry-expert lawyers work as an extension of your team.

We provide a single point of contact for all legal matters that arise in your business, from compliance management and reporting to advising on cross-border operations and safeguarding requirements.

Our role is to ensure your business is protected and poised for success at all times.

The author of this post and our leading expert in the payments industry sector is Kathryn Beater.

Visit Kathryn’s profile page now to learn more…

The information provided about key financial regulations in this blog is for general informational purposes only and does not constitute legal advice. You should seek independent legal advice regarding your particular circumstances. Accessing or using this blog does not create a solicitor-client or attorney-client relationship with Clearlake Law LLP or with any of our affiliates or lawyers.