Appendices
Appendix D — Regulatory Cheat Sheets
Region-by-region snapshots of the regimes that shape payments. This is orientation, not legal advice — rules change, thresholds move, and the change log (Chapter 40) tracks what's shifted since printing.
United States
| Regime | What it governs | Applies to | What practitioners get wrong | Chapter |
|---|---|---|---|---|
| Regulation E | Consumer electronic fund transfers — debit, ACH, error resolution rights | Banks and account providers | Assuming Reg E dispute rights mirror card chargebacks — different clocks, different burdens | Ch 10, 20 |
| Regulation Z (TILA) | Credit card billing, disclosures, dispute rights | Card issuers, creditors | Forgetting credit disputes are a legal right, not just a scheme rule | Ch 10, 13 |
| Durbin Amendment | Debit interchange caps for large issuers, merchant routing choice | Debit transactions | Not knowing regulated vs exempt debit priced very differently | Ch 10 |
| NACHA Operating Rules | ACH network rules, return codes, authorization requirements | ACH originators/ODFIs | Treating ACH like cards — returns arrive days later, and unauthorized-debit windows are long | Ch 18, 20 |
| State money transmitter licenses | Holding/moving other people's money | Wallets, payout platforms, some marketplaces | Discovering fifty-state licensing after building the flow of funds | Ch 22, 26 |
| BSA / AML (FinCEN) | KYC, monitoring, suspicious activity reporting | Financial institutions, MSBs | Assuming your PSP's KYC covers your own obligations | Ch 26 |
| GENIUS Act (2025) | Federal framework for payment stablecoins — full reserves, disclosures | Stablecoin issuers | Reading it as legalizing agent wallets — it regulates issuers, not agents | Ch 28, 33 |
EU & UK
| Regime | What it governs | Applies to | What practitioners get wrong | Chapter |
|---|---|---|---|---|
| PSD2 (PSD3/PSR incoming) | Payment services licensing, SCA, open banking access | PSPs, banks, merchants via SCA | Treating SCA as a card problem — it shapes every European checkout | Ch 11 |
| SEPA rulebooks (SCT, SCT Inst, SDD) | Euro credit transfers and direct debits | Eurozone payments | Underestimating SDD Core's long no-questions-asked refund window | Ch 18, 20 |
| Interchange Fee Regulation | Caps on consumer card interchange | EU card transactions | Assuming US-style interchange economics in Europe | Ch 10 |
| MiCA | Crypto-asset and stablecoin issuance/services in the EU | Issuers, CASPs | Ignoring that e-money-token rules bite stablecoin distribution | Ch 28, 30 |
| GDPR | Personal data, including payment data flows | Everyone touching EU data | Vaulting cardholder data without a lawful-basis story | Ch 25 |
| EU AI Act | AI system obligations; deployer duties phase in from Aug 2026 | Deployers of AI systems, incl. agentic payment flows | Missing that duties fall on the deployer — the buyer side, not just the vendor | Ch 33 |
| UK FCA regime | UK payments/e-money licensing, BNPL regulation incoming | UK-facing providers | Treating UK as still-EU — the rulebooks are diverging | Ch 23 |
Singapore & APAC
| Regime | What it governs | Applies to | What practitioners get wrong | Chapter |
|---|---|---|---|---|
| MAS Payment Services Act | Licensing by activity: accounts, transfers, e-money, digital payment tokens | Singapore payment providers | Assuming one license covers all activities — it's modular by service | Ch 22, 26 |
| PayNow / FAST + SGQR | Instant transfers, proxy addressing, unified QR | Singapore rails | Building for cards first in a market where QR + transfer is default | Ch 18, 19 |
| GIRO | Singapore's interbank direct debit | Recurring pulls | Forgetting GIRO's return and revocation behavior in dunning design | Ch 20 |
| HKMA stablecoin regime (2025) | Licensing of fiat-referenced stablecoin issuers in Hong Kong | Issuers touching HK | Conflating HK licensing with mainland China policy | Ch 28, 30 |
| MAS AI / agentic guidance | Risk management expectations for AI in finance | Licensed institutions | Waiting for an "agent license" — obligations attach to the licensee today | Ch 33 |
Global & Cross-Border
| Regime | What it governs | Applies to | What practitioners get wrong | Chapter |
|---|---|---|---|---|
| PCI-DSS | Cardholder data security — contractual, not law | Anyone storing/processing/transmitting PANs | Believing "compliant PSP" makes you compliant — scope is yours to manage | Ch 24 |
| OFAC / UN / EU sanctions | Prohibited parties and jurisdictions | Everyone moving money | Assuming screening is the bank's problem — fines land on facilitators too | Ch 26 |
| FATF travel rule | Originator/beneficiary info accompanying transfers, incl. crypto | VASPs, institutions | Discovering it mid-integration with a crypto counterparty | Ch 26, 28 |
Reading tip — When two regimes seem to conflict, the stricter one usually wins in practice, because your bank or PSP enforces its own most conservative reading on you. Chapter 26 explains why risk appetite, not law, is often the binding constraint.