Preparing for BNPL regulation: What firms need to do now

The arrival of formal regulation for Buy Now, Pay Later (BNPL) products is no longer a question of if, but when. With the Treasury’s May 2025 consultation response, the direction is this: by mid-2026, third-party BNPL lenders will fall within the scope of the Financial Conduct Authority (FCA).

This change brings with it a full set of regulatory requirements—covering affordability, creditworthiness, redress, disclosures, and governance. While many firms are familiar with the general framework, the pace and detail of implementation demand serious attention.

Risk leaders now face a critical window to build a strategy that aligns commercial goals with regulatory readiness.

Scope of the new BNPL regime

From mid-2026, third-party BNPL providers must be authorised by the FCA and comply with its rules on affordability, creditworthiness, consumer duty, complaints, disclosures, and more:

• Mandatory, proportionate affordability and creditworthiness checks
  Firms must demonstrate verifiable checks at the point of decisioning, aligned to individual circumstances, not just product type.
• Access to the Financial Ombudsman Service (FOS)
  BNPL customers can now escalate complaints to FOS, increasing the importance of auditable redress processes and timely resolution.
• Tailored disclosure requirements for digital-first products
  The FCA will introduce a bespoke regime focused on real-world comprehension — not just information delivery. Firms will need to test and evidence understanding.
• Extension of Section 75 protections to BNPL agreements
  Providers will be jointly liable for qualifying claims, requiring clear merchant oversight, governance controls, and capital planning to manage new exposure.

While third-party BNPL is the initial focus, merchant-offered BNPL products remain outside the perimeter for now. This exemption, based on Article 60F(2) of the Regulated Activities Order, is under review and could be revisited if scale or harm increases.

What this means for compliance and risk leaders

The FCA isn’t looking for surface-level compliance. It expects firms to demonstrate that processes are working and that consumers are genuinely protected. 

Affordability frameworks must evolve
Checks must be proportionate and verifiable, with models recalibrated to reflect customer circumstances. Even low-value lending must evidence the potential for harm reduction.

Complaint handling will need to be FOS-ready
This includes robust audit trails, clear redress pathways, MI reporting on themes, and training on FOS processes.

Joint liability introduces new exposure
Providers must enhance governance around merchant partnerships, define liability clearly in contracts, and plan for potential claims in their capital models.

Joined-up governance is essential
Effective programmes will require close collaboration across credit, compliance, legal, product, and ops teams—with clear ownership under SM&CR.

Disclosures must reflect real-world understanding
It’s not just about format. The FCA expects firms to test, monitor, and evidence comprehension—particularly for vulnerable customers.

Making best use of the Temporary Permissions Regime

The FCA will launch a Temporary Permissions Regime (TPR) to support the transition. Providers must be ready to act quickly when the window opens.

• Prepare for registration
  Ensure that internal records, model documentation, and business models are clearly aligned with regulatory expectations.

• Conduct a readiness assessment
  Review decisioning processes, affordability checks, complaints management, and financial crime controls.

• Plan for dual-track execution
  Meet TPR requirements while simultaneously building toward full authorisation.

• Engage early with the FCA
  Establish open communication lines to reduce ambiguity and show proactivity.

• Plan for contingencies
  Prepare wind-down plans, customer messaging, and backup procedures in case of registration delays or rejections.

Innovation and consumer protection can coexist

The decision to exclude some legacy Consumer Credit Act requirements reflects the unique nature of BNPL: short-term, interest-free, and often accessed via digital channels.

This creates space for a more relevant, user-centric approach to disclosures but it also raises the bar.

Risk and compliance teams should work with product, legal, and design leads to ensure communications are:

• Integrated into real customer journeys

• Mobile-friendly and accessible

• Prompted by user behaviour

• Supported by outcome-based testing and complaints data

Those who treat disclosures as a compliance task may struggle. Those who invest in relevance and usability will have stronger customer engagement and defensibility.

Merchant carve-out and the risk of market distortion

The decision to exclude merchant-led BNPL from the regulatory scope has sparked debate. Without oversight, merchant-offered credit could create competitive asymmetry and raise consumer protection concerns.

Risk leaders should:

• Monitor merchant product developments and prepare for potential perimeter expansion
• Review all third-party merchant partnerships for regulatory dependencies
• Revisit financial promotions and credit broking arrangements, particularly where merchants promote BNPL products without broking permissions

Regulatory costs and anticipated market impact

The Treasury’s impact assessment estimates:

• An Equivalent Annual Net Direct Cost to Business (EANDCB) of £2.3 million
• A Net Present Value of -£20.1 million over the assessment period
• Authorisation application fees: £5,000 to £25,000
• Annual supervision fees: £10,000 to £50,000
• Technology upgrades: £500,000 to £2 million per provider for systems supporting affordability, reporting, and complaints
• Section 75 exposure: Estimated at 0.5% to 1.2% of transaction values

With the UK’s BNPL market valued at £20 billion annually, sector-wide exposure to Section 75 alone could exceed £100 million.

Consolidation is expected. Government modelling suggests 20–30% of providers may exit the market post-regulation. But with global BNPL volumes growing rapidly, those who remain stand to benefit from a stronger, more trusted marketplace.

How leading firms are responding

Some providers have already started adjusting:

Klarna
Following regulatory scrutiny in Sweden, Klarna UK introduced income verification, real-time spend tracking, and risk-based onboarding.

Monzo Flex
Built affordability into product design from the outset, with integrated credit reporting and real-time tracking.

PayPal
Adopted a cross-functional compliance strategy with specialist teams, training, and documentation of governance processes.

The clock is ticking and the gap between those who prepare and those who delay will widen fast. For risk leaders, this is a chance to go beyond baseline compliance, strengthening frameworks, improving customer outcomes, and shaping the future of BNPL in a regulated environment.