The compliance landscape for Electronic Money Institutions (EMIs) in the UK and Europe is shifting not in theory, but in enforcement intensity, reporting standards, and operational expectations.

In 2026, regulators are no longer asking whether you have policies.

They are asking whether your systems prove they work.

Here’s what’s materially changing.

UK: Safeguarding Rules Have Entered a New Phase

The UK’s Financial Conduct Authority has implemented strengthened safeguarding requirements for EMIs and payment firms, significantly raising operational expectations.

What’s new:

• Mandatory daily client money reconciliations

• Monthly safeguarding reporting to the FCA

• Annual safeguarding audits

• Detailed resolution packs for wind-down planning

• Stronger board-level oversight requirements

This is a structural shift.

Safeguarding is no longer a back-office compliance function.
It is now a board-level governance responsibility.

For many EMIs, this means upgrading reconciliation systems, audit trails, and financial control infrastructure.

Europe: DORA Is Now Operational Reality

The Digital Operational Resilience Act (DORA) is now fully in effect, fundamentally changing how EMIs manage:

• IT risk

• Cloud providers

• Cyber resilience

• Incident reporting

• Third-party outsourcing

Under DORA, EMIs must:

• Maintain formal ICT risk frameworks

• Conduct resilience testing

• Monitor third-party providers continuously

• Report major incidents within strict timelines

Compliance is no longer limited to AML.
Operational resilience is now a regulatory priority.

PSD3 Is Reshaping the Payments Framework

The proposed Payment Services Directive 3 (PSD3) aims to modernize and tighten the existing PSD2 regime.

Key expected impacts:

• Stronger fraud liability standards

• Enhanced consumer protection

• Greater transparency in fee structures

• Harmonised supervision across EU states

For EMIs, PSD3 will increase supervisory consistency meaning weak jurisdictions will no longer offer lighter compliance expectations.

AML: The Risk Map Has Shifted

The European Commission has updated its list of high-risk third countries.

This directly affects:

• Customer onboarding workflows

• Enhanced Due Diligence (EDD) triggers

• Transaction monitoring thresholds

• Risk scoring algorithms

If your compliance engine hasn’t updated jurisdictional risk models, you may already be misaligned with current expectations.

Enforcement Tone: Outcomes Over Documentation

Across both the UK and EU, supervision has evolved.

Regulators now expect:

• Evidence-based compliance

• Measurable control effectiveness

• Real-time monitoring capabilities

• Audit-ready data infrastructure

Having a written AML policy is no longer enough.

You must demonstrate:

• How alerts are generated

• How they are resolved

• How risk decisions are documented

• How safeguarding reconciliations are verified

• How third-party vendors are assessed

This is the era of operational proof.

What This Means for EMIs in 2026

Compliance priorities have shifted in five key areas:

1. Safeguarding & Financial Resilience

Daily controls. Monthly reporting. Board accountability.

2. AML & Risk Scoring

Dynamic jurisdiction updates. Stronger transaction monitoring logic.

3. Operational Resilience

Cloud oversight. Incident governance. Vendor risk frameworks.

4. Reporting Infrastructure

Regulatory data must be structured, auditable, and exportable on demand.

5. Governance & Accountability

Senior management now bears explicit responsibility for compliance effectiveness.

The Bigger Picture

Licences are still being granted across the UK and EU.

But regulators are no longer evaluating applicants solely on capital and paperwork.

They are assessing:

• System maturity

• Real-time compliance architecture

• Data traceability

• Governance quality

• Risk culture

The compliance burden has not simply increased — it has become more technical and operational.

Final Thought

2026 is not about getting licensed.

It is about staying inspection-ready.

For EMIs operating in or entering the UK and EU markets, the question is no longer:

“Do we have policies?”

It is:

“Can we prove compliance at any moment, with data?”

And that distinction is now regulatory.