The Green Sheet Online Edition
May 12, 2025 • 25:05:01
The UK's push for resilience - If your payment provider fails, so do you
If your payment provider went down tomorrow, would your business be able to keep running smoothly? Would customers still be able to check out, or would you be scrambling to explain why transactions aren't going through?
These are the kinds of questions UK merchants, acquirers and payment providers should already have answers to, because on March 31, 2025, PS21/3, the Financial Conduct Authority's (FCA) operational resilience regulation, is in effect.
This isn't just another regulatory hoop to jump through. It's about ensuring that payments keep flowing even when things go wrong. Whether you're a payment provider responsible for securing transactions or a merchant relying on those services, failing to meet resilience standards could mean lost sales, frustrated customers and long-term reputational damage.
What PS21/3 means for merchants
For banks, payment processors and fintech firms, PS21/3 requires them to prove that they can keep essential services running even during severe disruptions.
That means having contingency plans in place, identifying single points of failure and testing their ability to recover from cyberattacks, system failures or supplier outages.
But merchants must take note too. If a payment provider experiences an outage, the business accepting payments suffers just as much. Customers won't distinguish between a provider's system failure and a merchant's inability to process transactions - they'll just take their business elsewhere.
Now is the time for merchants to ask the right questions:
- Does my payment provider have failover mechanisms? Can they switch between multiple acquiring banks if their primary system goes down?
- Do they comply with PS21/3 regulations? A provider's failure to meet resilience standards could mean disruptions that directly impact revenue.
- What's their track record in handling disruptions? Have they implemented scenario testing and risk management strategies?
Choosing a resilient payment provider means greater stability, fewer failed transactions and a smoother experience for customers—a key differentiator in today's competitive marketplace.
Third-party risks
Many financial institutions and payment providers don't just rely on their own infrastructure—they depend on third-party vendors to deliver critical services. That's where things get complicated.
The CrowdStrike outage in 2024 was a wake-up call for the industry. A single software update caused widespread service failures, affecting banks, payment providers and merchants alike. Some businesses had strong resilience plans in place and recovered quickly. Others were left panicking realizing they had no control over the third-party disruptions that took them offline.
The FCA made it clear: outsourcing responsibility doesn't mean outsourcing accountability. Financial institutions must actively manage third-party relationships, conduct resilience tests and ensure that suppliers can meet regulatory standards. If a third party fails, the responsibility still falls on the regulated firm.
For merchants, this adds a layer of risk. If your payment provider lacks oversight of its third-party dependencies, your business is exposed to the same risks.
Merchants should ensure that their providers have a clear strategy for mitigating third-party disruptions, because if they fail, so do you.
Payment resilience is business resilience
Payment failures don't just frustrate customers; they impact revenue, trust and long-term business growth. Merchants rely on their payment providers to ensure transactions go through smoothly, but not all providers are equally prepared for PS21/3.
A resilient payment provider should have the infrastructure to prevent reliance on a single processor by incorporating multi-acquirer setups. They should also be able to switch payment traffic dynamically through intelligent transaction routing when disruptions occur.
Real-time monitoring is essential for detecting and resolving issues before they impact customers, while transparent resilience plans ensure they meet regulatory expectations and maintain trust with merchants.
If your payment provider isn't ready for PS21/3, your business could suffer the consequences.
Firms and merchants need to focus on refining and stress-testing their operational resilience frameworks. Beyond compliance, it's about ensuring they can actually function in the face of a disruption.
For those still finalizing their approach, the most urgent priorities include validating their impact tolerances to ensure they can recover within set timeframes, running emergency scenario tests to stress-test their resilience plans, confirming that third-party providers are meeting compliance standards, and updating incident response strategies so teams know exactly what to do in a crisis.
The FCA isn't expecting perfection overnight, but firms must be able to prove they have made serious efforts to comply. The closer they are to full compliance, the easier it will be to refine and strengthen resilience strategies in the months ahead.
Why resilience is a competitive advantage
Meeting PS21/3 standards is more than avoiding regulatory scrutiny; it's about building a stronger, more reliable business.
Customers and merchants will gravitate toward financial institutions and payment providers that can guarantee stability. Payment providers that can prove their resilience will be in a stronger position to win merchant trust and secure long-term relationships.
In contrast, those that fall short risk reputational damage, customer churn and potential regulatory action.
For merchants, choosing a payment provider that prioritizes resilience is a smart business move. Lost transactions mean lost revenue. The ability to process payments smoothly, even when disruptions occur, will set resilient businesses apart from the competition.
The last three years have been about preparation, but now PS21/3 is reshaping expectations for financial resilience in the UK, and those who haven't adapted will feel the pressure. Firms that have taken resilience seriously will move forward with confidence. Those that delayed or downplayed the importance of PS21/3 will have to work even harder to catch up. 
Ryta Zasiekina, founder of Concryt, is a leading voice in payments orchestration and fintech investment. Contact her via LinkedIn at linkedin.com/in/zasiekina.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
