Appendices

Appendix D — Regulatory Cheat Sheets

Region-by-region snapshots of the regimes that shape payments. This is orientation, not legal advice — rules change, thresholds move, and the change log (Chapter 40) tracks what's shifted since printing.

United States

RegimeWhat it governsApplies toWhat practitioners get wrongChapter
Regulation EConsumer electronic fund transfers — debit, ACH, error resolution rightsBanks and account providersAssuming Reg E dispute rights mirror card chargebacks — different clocks, different burdensCh 10, 20
Regulation Z (TILA)Credit card billing, disclosures, dispute rightsCard issuers, creditorsForgetting credit disputes are a legal right, not just a scheme ruleCh 10, 13
Durbin AmendmentDebit interchange caps for large issuers, merchant routing choiceDebit transactionsNot knowing regulated vs exempt debit priced very differentlyCh 10
NACHA Operating RulesACH network rules, return codes, authorization requirementsACH originators/ODFIsTreating ACH like cards — returns arrive days later, and unauthorized-debit windows are longCh 18, 20
State money transmitter licensesHolding/moving other people's moneyWallets, payout platforms, some marketplacesDiscovering fifty-state licensing after building the flow of fundsCh 22, 26
BSA / AML (FinCEN)KYC, monitoring, suspicious activity reportingFinancial institutions, MSBsAssuming your PSP's KYC covers your own obligationsCh 26
GENIUS Act (2025)Federal framework for payment stablecoins — full reserves, disclosuresStablecoin issuersReading it as legalizing agent wallets — it regulates issuers, not agentsCh 28, 33

EU & UK

RegimeWhat it governsApplies toWhat practitioners get wrongChapter
PSD2 (PSD3/PSR incoming)Payment services licensing, SCA, open banking accessPSPs, banks, merchants via SCATreating SCA as a card problem — it shapes every European checkoutCh 11
SEPA rulebooks (SCT, SCT Inst, SDD)Euro credit transfers and direct debitsEurozone paymentsUnderestimating SDD Core's long no-questions-asked refund windowCh 18, 20
Interchange Fee RegulationCaps on consumer card interchangeEU card transactionsAssuming US-style interchange economics in EuropeCh 10
MiCACrypto-asset and stablecoin issuance/services in the EUIssuers, CASPsIgnoring that e-money-token rules bite stablecoin distributionCh 28, 30
GDPRPersonal data, including payment data flowsEveryone touching EU dataVaulting cardholder data without a lawful-basis storyCh 25
EU AI ActAI system obligations; deployer duties phase in from Aug 2026Deployers of AI systems, incl. agentic payment flowsMissing that duties fall on the deployer — the buyer side, not just the vendorCh 33
UK FCA regimeUK payments/e-money licensing, BNPL regulation incomingUK-facing providersTreating UK as still-EU — the rulebooks are divergingCh 23

Singapore & APAC

RegimeWhat it governsApplies toWhat practitioners get wrongChapter
MAS Payment Services ActLicensing by activity: accounts, transfers, e-money, digital payment tokensSingapore payment providersAssuming one license covers all activities — it's modular by serviceCh 22, 26
PayNow / FAST + SGQRInstant transfers, proxy addressing, unified QRSingapore railsBuilding for cards first in a market where QR + transfer is defaultCh 18, 19
GIROSingapore's interbank direct debitRecurring pullsForgetting GIRO's return and revocation behavior in dunning designCh 20
HKMA stablecoin regime (2025)Licensing of fiat-referenced stablecoin issuers in Hong KongIssuers touching HKConflating HK licensing with mainland China policyCh 28, 30
MAS AI / agentic guidanceRisk management expectations for AI in financeLicensed institutionsWaiting for an "agent license" — obligations attach to the licensee todayCh 33

Global & Cross-Border

RegimeWhat it governsApplies toWhat practitioners get wrongChapter
PCI-DSSCardholder data security — contractual, not lawAnyone storing/processing/transmitting PANsBelieving "compliant PSP" makes you compliant — scope is yours to manageCh 24
OFAC / UN / EU sanctionsProhibited parties and jurisdictionsEveryone moving moneyAssuming screening is the bank's problem — fines land on facilitators tooCh 26
FATF travel ruleOriginator/beneficiary info accompanying transfers, incl. cryptoVASPs, institutionsDiscovering it mid-integration with a crypto counterpartyCh 26, 28
Reading tip — When two regimes seem to conflict, the stricter one usually wins in practice, because your bank or PSP enforces its own most conservative reading on you. Chapter 26 explains why risk appetite, not law, is often the binding constraint.
The Money AtlasAppendix D — Regulatory Cheat Sheets