DMA in-app payments: EU and UK pursue the same end through different machinery
In short: DMA in-app payments parity is here to stay. If you sell or process payments inside iPhone or Android apps, the EU rules forcing platforms to allow alternative wallets are locked in. The Commission confirmed that on 28 April 2026. In the UK, Apple and Google signed CMA commitments on 1 April 2026 and the FCA opened a parallel investigation into Mastercard, Visa and PayPal on 6 May 2026.
If a UK fintech or merchant acquirer wants its wallet to sit inside an iPhone or Android app on the same footing as Apple Pay or Google Pay, the DMA in-app payments rules and their UK counterparts decide whether it can. Two regulators on opposite sides of the Channel are pushing the same commercial question through different machinery. The European Commission’s first review of the Digital Markets Act, published on 28 April 2026, confirms the EU rules will keep biting on gatekeepers. The CMA’s strategic market status commitments from Apple and Google took effect on 1 April 2026. The FCA’s Competition Act 1998 investigation into Mastercard, Visa and PayPal, announced on 6 May 2026, sits in the gap.
Two regimes, one commercial question
The EU and the UK want the same thing on DMA in-app payments. They are getting there by different routes. The table below puts the two regimes side by side.
| Issue | EU (Digital Markets Act) | UK (DMCCA SMS + Competition Act 1998) |
|---|---|---|
| Trigger for the obligation | Article 3 gatekeeper designation. Articles 5, 6 and 7 obligations operate per se from designation. | SMS designation under Part 1 of the Digital Markets, Competition and Consumers Act 2024. Conduct requirements under section 19 are negotiated case by case, or commitments are accepted under section 36. |
| In-app payment parity | Article 5(7) DMA prohibits a gatekeeper from requiring end users or business users to use the gatekeeper’s own payment service or in-app payment system. Article 5(4) bans anti-steering on in-app communications. | CMA SMS commitments accepted from Apple and Google on 1 April 2026 cover app review, app ranking, data use and iOS interoperability. The CMA has signalled digital wallet competition as the next workstream. |
| Hardware access for third-party wallets | Article 6(7) DMA mandates effective interoperability with the same hardware features the gatekeeper uses. Apple’s Article 9 commitments in Case AT.40452 bind Apple in the EEA on free NFC access via host card emulation for ten years. | The 1 April 2026 commitments allow developers to request interoperable access to iOS features. NFC and wallet access sit outside the current commitments package and have been flagged for a later round. |
| Enforcement architecture | European Commission. Fines up to 10% of global turnover under Article 30 DMA, rising to 20% on repeat infringement. A €500 million fine on Apple on 23 April 2025 for Article 5(4) anti-steering is the first DMA non-compliance penalty. | CMA enforces commitments and conduct requirements under DMCCA Part 1 Chapter 4. The FCA holds concurrent Competition Act 1998 jurisdiction over payment services under the Financial Services (Banking Reform) Act 2013. |
| Concurrent competition law | Article 1(6) DMA preserves national competition law. Commission antitrust investigations run in parallel to the DMA. | Chapter I and Chapter II of the Competition Act 1998 apply concurrently. The FCA’s investigation of Mastercard, PayPal and Visa announced 6 May 2026 is the live UK example on the wallet stack. |
DMA in-app payments rules after the First Review
The headline from the Commission’s first review on 28 April 2026 is short. The law works and is staying. The forward areas the Commission singled out are AI, cloud, transparency and procedure. DMA in-app payments are not on that list, but not because they are quiet. The opposite is true. The Commission fined Apple €500 million on 23 April 2025 for breaching the Article 5(4) anti-steering rule, and the Review treats Articles 5 and 6 as bedding in rather than failing. Article 5(7), which sits next to Article 5(4), is the per-se rule that stops a gatekeeper forcing you to use its own in-app payment system.
For DMA in-app payments work, the most consequential elements of the EU framework are now stable. Article 5(7) bars a gatekeeper from requiring users of its core platform service to take the gatekeeper’s own identification service, web browser engine or payment service, including in-app payment systems. Article 6(7) requires effective interoperability with the same hardware and software features the gatekeeper accesses, which captures the NFC input on iPhone and the equivalent capabilities on Android. The Commission’s Article 9 commitments accepted in Case AT.40452 on 11 July 2024 bind Apple to free NFC access via host card emulation, with FRAND access to additional Apple Pay features, in the EEA for ten years. Our note on the DMA Review 2026 EU and UK position covers the broader Review outcome.
The UK lever and the FCA’s parallel CA 1998 investigation
The UK is moving on three tracks at once and the design of each track matters for any firm pricing wallet substitution risk. The CMA designated Apple and Google with strategic market status in their mobile platforms on 22 October 2025, the first SMS decisions under DMCCA 2024 Part 1. The commitments accepted from each firm on 1 April 2026, indexed on the gov.uk Find Digital Markets Measures register on 23 April 2026, cover app review, app ranking, data collection and a developer-facing process for requesting interoperable access to iOS features. The CMA has been explicit that fintech access to Apple’s digital wallet sits outside the current package and is the next workstream. Our analysis of the first DMCCA commitments covers the architecture in full.
The other UK lever is the FCA’s competition law toolkit, and on current timing it may bite first. On 6 May 2026 the FCA confirmed it is investigating Mastercard, PayPal and Visa under Chapter I, and Mastercard and Visa under Chapter II, for suspected anti-competitive conduct linked to the funding and usage of PayPal’s digital wallet. The trigger was PayPal’s Q1 2026 Form 10-Q disclosure that the FCA had served notices and information requests in March 2026. The FCA has reached no findings and is still gathering evidence. We covered the FCA investigation announcement when it came in. The Chapter II limb against Mastercard and Visa is the more potent of the two, because abuse of dominance liability runs to the funding side of the wallet stack and not just to the bilateral contracts.
DMA in-app payments and the commercial reality for fintechs and acquirers
The commercial reality for fintech product teams and merchant acquirers is that DMA in-app payments parity is now a multi-regulator surface in both markets. A third-party wallet seeking to substitute for Apple Pay on iOS in the EEA has a directly enforceable Article 6(7) entitlement to NFC access on FRAND terms, backed by the AT.40452 commitments. The same wallet in the UK has, today, an interoperability-request route under the 1 April 2026 commitments and the prospect of further measures on digital wallet access in the next CMA round.
Liability allocation does not move with the parity rules. When a third-party wallet routes a payment through an alternative to Apple Pay or Google Pay, the default position on unauthorised-transaction liability and refund rights continues to run through regulation 75 of the Payment Services Regulations 2017 and the equivalent rules in the recast Payment Services Directive in the EU. Strong customer authentication under regulation 100 PSRs 2017 continues to apply. Card scheme rules on chargebacks and dispute resolution sit on top. None of those rules change because DMA in-app payments parity has been forced open. The commercial question is who bears the operational and fraud risk on the rerouted transaction, and how the bilateral arrangements between wallet provider, acquirer and scheme price that risk. Our regulatory due diligence page covers the deal-side equivalent of that question on a target with platform exposure.
Viewpoint
I read the DMA First Review as confirming that the EU side of DMA in-app payments is locked in for the next three years. The Commission will keep enforcing Articles 5(4), 5(7), 6(4) and 6(7) on the existing gatekeepers and will reach for the Article 30 fine ceiling when it has to. In the UK, the CMA’s commitments-first architecture is slower to bind on paper but more precisely tunable to the harm, and the regulator’s pointer to digital wallet competition shows where the next round is going. In my view, the FCA’s CA 1998 investigation into Mastercard, Visa and PayPal is the more likely source of near-term UK enforcement pressure on the wallet stack, because Competition Act proceedings move on a faster clock than the second-cycle SMS conduct-requirement process. The harder question, on both sides of the Channel, is where platform security and integrity legitimately end and gatekeeper self-preferencing begins. That is where the next wave of disputes will land, and where the regulator framing matters more than the headline parity rule.
Frequently asked questions
Are DMA in-app payments obligations directly enforceable against Apple and Google?
In the EU, yes. Articles 5(4), 5(7), 6(4) and 6(7) DMA apply per se to designated gatekeepers from six months after designation. The European Commission enforces directly. The €500 million fine imposed on Apple on 23 April 2025 for Article 5(4) anti-steering breaches confirmed the Commission’s enforcement appetite. Article 30 DMA allows fines up to 10% of global turnover, rising to 20% on repeat infringement.
Do the CMA’s 1 April 2026 commitments require Apple or Google to open up NFC to third-party wallets?
Not yet directly. The commitments cover app review, app ranking, data use and a developer-facing process for requesting interoperable access to iOS features. The CMA has stated that fairer competition with Apple’s digital wallet is a subsequent workstream. NFC access for third-party wallets in the UK sits outside the current commitments package and will be addressed by a later conduct requirement or commitment under DMCCA 2024 sections 19 or 36.
How does the FCA’s CA 1998 investigation interact with the CMA’s SMS regime?
The FCA holds concurrent Competition Act 1998 jurisdiction over conduct in payment services under the Financial Services (Banking Reform) Act 2013. The CMA’s DMCCA Part 1 SMS regime is ex-ante and platform-focused. The FCA’s CA 1998 investigation into Mastercard, Visa and PayPal is ex-post and conduct-focused. The two run in parallel without displacement. A firm under both regimes may face simultaneous CMA SMS measures and FCA antitrust proceedings.
Who bears the chargeback and fraud risk when a third-party wallet routes a payment?
The DMA in-app payments parity rules do not move liability allocation. Regulation 75 PSRs 2017 places unauthorised-transaction liability on the payment service provider that authorised the transaction, with the strong customer authentication regime under regulation 100 modulating that allocation. Card scheme rules on chargebacks sit on top. The bilateral wallet, acquirer and scheme agreements price the residual operational and fraud risk; the parity rules force open access but leave the commercial allocation to the parties.
If you are pricing wallet substitution risk under the DMA in-app payments framework or assessing the impact of the UK regimes on your acquiring, e-money or PSP business, contact Rob Bratby at Bratby Law.
