BNPL Regulation: What FCA Authorisation Means for BNPL Operators
From 15 July 2026, third-party lenders that offer deferred payment credit (DPC), the product the market calls Buy Now Pay Later, must hold FCA authorisation, operate as an appointed representative of an authorised principal, or cease the activity in the UK. Firms have 35 days until the FCA’s Temporary Permissions Regime (TPR) notification window opens on 15 May 2026, and 96 days until Regulation Day. The FCA’s Policy Statement PS26/1, published on 11 February 2026, sets the final rulebook. HM Treasury estimated in its October 2024 consultation response that around 14 million UK adults used BNPL in the 12 months to January 2023, a market worth over GBP 13 billion. This is the most substantive change in consumer credit regulation since the 2014 transfer of the regime from the Office of Fair Trading to the FCA.
The statutory framework bringing BNPL inside the perimeter
BNPL becomes a regulated activity because The FSMA 2000 (Regulated Activities etc.) (Amendment) Order 2025 (SI 2025/859) narrows the exemption that has kept it outside the FCA’s perimeter. SI 2025/859 amends article 60F of the Regulated Activities Order 2001 so that interest-free credit of 12 or fewer instalments repayable within 12 months, when supplied by a third-party lender, no longer benefits from the exempt agreements carve-out and falls within the scope of regulated credit agreements under article 60B. The Order was made on 14 July 2025 and commences on 15 July 2026. The FSMA 2000 (Regulated Activities etc.) (Amendment) (No. 2) Order 2025 (SI 2025/1154) makes consequential amendments, including amending the new article 36FB so that credit broking in relation to a regulated DPC agreement is excluded from article 36A.
Two features of the scheme matter. First, merchants that offer their own DPC agreements directly to the consumer remain outside the regime, but the exemption is fact-sensitive. Where a merchant-provided journey is in substance white-labelled third-party lending, or where the merchant performs marketing or intermediation activities that look like credit broking, the exemption may not be available and a separate permission analysis is needed. Second, the activity sits within the section 19 FSMA 2000 general prohibition. From 15 July 2026, conducting the regulated activity without authorisation is a criminal offence under section 23, agreements are unenforceable against the borrower under section 26, and the FCA can seek restitution under section 28.
Analysis: what PS26/1 actually requires
PS26/1 applies most of the existing Consumer Credit Sourcebook (CONC) regime to DPC, with targeted adjustments. The headline substantive rules are four. Firms must carry out a proportionate creditworthiness assessment under CONC 5.2A for every DPC agreement, including for low-value transactions: the FCA rejected the de minimis carve-out that some respondents to CP25/23 had argued for, although the depth of assessment can be calibrated to the risk of the agreement. Firms must comply with the pre-contract information requirements of CONC 4, with DPC-specific adjustments to the form and timing of disclosure recognising the digital checkout journey. Firms must apply CONC 7 forbearance and arrears handling from day one of regulation. And firms will be subject to the Consumer Duty under PRIN 2A, which means DPC products, price and value, consumer understanding and consumer support all need to be documented and defensible.
The regulatory architecture matters. The statutory source of obligation is SI 2025/859 and FSMA 2000 Part 4A, which require authorisation and compliance with Threshold Conditions. CONC and PRIN prescribe how to comply, not whether the duty exists. The binding statutory deadline is 15 July 2026, but the operational build against CONC and the Consumer Duty is where most of the work sits. PS26/1 confirms that Financial Ombudsman Service jurisdiction extends to DPC from Regulation Day, giving consumers a binding dispute mechanism that has not been uniformly available to date.
The ambiguities sit around the edges of the perimeter. The interaction between DPC and the Payment Services Regulations 2017 is not always straightforward for firms active in both payments and credit value chains. Acquirers, wallets and orchestration platforms that present a DPC option at checkout need to map the boundary, including whether a particular journey engages the limited network exclusion in PSRs 2017 Schedule 1 Part 2 and whether the interaction is properly characterised as a payment instrument or as the grant of credit. A firm assessing its regulatory perimeter and market entry should start with the activity test and end with the Threshold Conditions.
Commercial and operational implications
The Temporary Permissions Regime (TPR) is the practical route through for firms already conducting DPC activity that do not already hold the necessary consumer credit permissions. The TPR notification window opens on 15 May 2026 and closes on 1 July 2026. A compliant TPR notification, subject to eligibility conditions, preserves the ability to continue DPC business while a full Part 4A authorisation application is assessed, and firms operating under temporary permissions remain subject to FCA supervision throughout the period. Firms that miss the window cannot rely on the TPR. They will either have to stop the activity, rely on a bridging commercial arrangement with an authorised principal (including acting as an appointed representative under FSMA s 39), or wind down. The operational cost of a late decision is therefore asymmetric: the cost of an unused TPR notification is low, but the cost of missing it is the business.
For the Part 4A application itself, firms should plan against a standard FCA authorisation workload: regulatory business plan, financial projections, governance and control framework, senior management responsibilities under the Senior Managers and Certification Regime (with scope depending on whether the firm falls into the limited scope, core or enhanced category), operational resilience, compliance monitoring, financial crime systems, and wind-down plan. Firms holding existing consumer credit permissions will need a variation of permission rather than a fresh application, but the VoP is not a formality: the FCA expects readiness against the DPC-specific aspects of CONC and the Consumer Duty.
| Workstream | Statutory source | FCA rules prescribing the method |
|---|---|---|
| Authorisation | FSMA 2000 s 19, s 31, s 55A | FCA Handbook SUP, COND |
| Creditworthiness | SI 2025/859, CCA 1974 s 55B as amended | CONC 5.2A |
| Pre-contract disclosure | CCA 1974 as amended | CONC 4 |
| Arrears and forbearance | CCA 1974 s 77A onwards | CONC 7 |
| Product and value governance | FSMA 2000 Part 9A | PRIN 2A (Consumer Duty) |
| Ombudsman jurisdiction | FSMA 2000 Part XVI | DISP |
Enforcement risk is concentrated in two places. First, conducting regulated activity without authorisation is a criminal offence under FSMA 2000 s 23. Second, post-Regulation Day, the Consumer Duty gives the FCA a broad supervisory tool. Firms that treat DPC as a light-touch consumer credit product will find the FCA’s expectations closer to those it applies to credit cards and retail finance.
Viewpoint
PS26/1 reads as a deliberately conservative policy statement. The FCA has resisted calls for a de minimis threshold, a light-touch disclosure regime, and a deferred creditworthiness assessment for small ticket sizes. That is consistent with the post-Consumer Duty approach: the duty is risk-agnostic, and the FCA is reluctant to engineer carve-outs that would undercut it.
The operational bottleneck for firms approaching authorisation for the first time is rarely the CONC rulebook in the abstract. It is the forensic traceability of decisions: being able to evidence, for a given customer at a given point in time, how the creditworthiness assessment was performed, what data was used, and how the outcome was recorded. Firms from an unregulated data science culture are often surprised by how much of the Part 4A application sits in governance documentation rather than in the technology stack. 15 May 2026 is the drafting deadline for the regulatory business plan, not the start.
Two follow-ons to watch. The FCA will use its first 18 months of supervision to calibrate enforcement under its standard civil toolkit, including own-initiative variation of permission, imposition of requirements, and financial penalties. And the political appetite to extend the perimeter to merchant-provided finance will not disappear: if the FCA concludes consumer harm has migrated into the excluded segment, Treasury is likely to revisit the exemption.
Links
- FCA PS26/1: Regulation of Deferred Payment Credit
- FCA CP25/23: Consultation on DPC (July 2025)
- FCA: Regulating Buy Now Pay Later (firms page)
- SI 2025/859: The FSMA 2000 (Regulated Activities etc.) (Amendment) Order 2025
- SI 2025/1154: The FSMA 2000 (Regulated Activities etc.) (Amendment) (No. 2) Order 2025
- FSMA 2000 (Regulated Activities) Order 2001 (SI 2001/544)
- Bratby Law: Payments Regulation
Call to action
Bratby Law advises UK payments firms on the regulatory perimeter, Consumer Duty implementation and FCA enforcement risk. For advice on whether your DPC activity falls within scope, or on preparing for Regulation Day on 15 July 2026, contact Rob Bratby at Bratby Law.
