Part X: The Living System
Chapter 39 — What Changes, What Doesn't
Part X: The Living System
You walk into a payments conference on a Tuesday morning and five things hit you before you reach the coffee station. The EU's instant payments mandate just went live — every eurozone bank must now process credit transfers in under 10 seconds, any time, any day. PCI DSS v4.0.1's future-dated requirements became mandatory last month, and your compliance team is still patching gaps. SWIFT's ISO 20022 coexistence period for cross-border payments ended in November, which means the old MT message formats are gone — new field structures, new validation rules, new address formats, all live. FATF just updated Recommendation 16 to tighten payment transparency requirements for fragmented transaction chains. And Visa's latest rulebook edition dropped 30 pages of changes, effective immediately.
It feels like the ground is moving under your feet. Every quarter brings a new acronym, a new deadline, a new compliance program. If you are new to payments, the volume is paralyzing. If you are experienced, it is exhausting.
But here is the question this chapter asks: what if most of that change clusters in just a few layers, and a smaller set of fundamentals never moves at all?
That is the core insight. Payments feel volatile because regulation arrives on public deadlines, network rulebooks update continuously, and data migrations change the shape of every message in the system. The surface is always in motion. But underneath — the economic structure, the lifecycle phases, the risk categories, the need for governance — the deep architecture is stubbornly stable. If you learn the constants first, every new rail, standard, or compliance requirement becomes a variation on known themes, not a fresh puzzle.
This chapter separates the constants from the variables, gives you a layered mental model, and shows you how to use it regardless of whether you are entering payments for the first time, running a merchant business, or building payment infrastructure. It is also what keeps the playbooks in Chapters 35–38 from going stale: a playbook is only as durable as the assumptions underneath it, and this chapter is the map of which assumptions hold.
Why Payments Feel Like They Change Every Year
The feeling of constant change is not an illusion — but it is concentrated. Three drivers create the drumbeat, and each one operates on visible, public timelines that amplify the sensation.
Regulation arrives on public deadlines. When the European Union's instant payments regulation took effect on 9 October 2025, every eurozone payment service provider had to comply simultaneously. New rules requiring euro credit transfers to complete within seconds, available around the clock, across the entire eurozone — effective for all participants on the same date. This "big bang" feeling is inherent to regulatory change. Everyone scrambles at once, every vendor sends urgent emails, every conference panel discusses the same deadline. It creates the impression that payments as a whole are being reinvented, when in reality a specific layer — the service-level requirement for euro transfers — shifted.
Similarly, PCI DSS v4.0.1's future-dated requirements became effective on 31 March 2025. Requirements that had been "best practice" were now mandatory: targeted risk analysis, enhanced authentication controls, stronger script management. Every organization in scope faced the same deadline, creating a wave of vendor communications, audit prep, and security upgrades that felt like industry-wide upheaval.
Network rulebooks evolve continuously. Visa and Mastercard publish operating rules that function as binding contracts for every participant in their ecosystems. These rulebooks are updated regularly, with detailed "Summary of Changes" sections documenting what shifted and when. Mastercard frames its rules as standards supporting safety, security, integrity, and interoperability. Visa positions its core rules similarly. The updates cover everything from dispute rules and data requirements to compliance programs and product constraints. For a merchant or processor, each edition means reviewing the changes, assessing impact, and adjusting operations — a constant operational drumbeat.
Data modernization migrations change formats and validation. ISO 20022 — the global standard for financial messaging — reshaped how cross-border payments carry data. SWIFT's CBPR+ (Cross-Border Payments and Reporting Plus) coexistence period ended on 22 November 2025, meaning the old MT format messages are no longer accepted. New field lengths, structured address formats, richer remittance data, stricter validation rules — all live. In card ecosystems, ISO 8583-style messaging still underpins much of the authorization chain, but enrichment requirements keep growing. The format changes are real and operationally significant. But they change how data moves through the system, not why the system exists or what it fundamentally does.
The pattern across all three drivers is the same: the surface changes on deadlines, so it feels like the ground is always moving. Yet the deep structure — what a payment is, what risks it creates, what lifecycle it follows, who participates, and why governance exists — is remarkably stable. The rest of this chapter maps those constants, identifies where to expect volatility, and gives you a model for navigating both.
The Things That Don't Change
Underneath the rolling deadlines and format migrations, seven structural constants hold. They were true when card networks launched in the 1960s. They were true when ACH went electronic. They are true for real-time payment rails, stablecoins, and whatever comes next. They persist because they are properties of moving value between parties — not properties of any particular technology.
Settlement finality. The Bank for International Settlements defines final settlement as the irrevocable and unconditional transfer of an asset. The CPMI-IOSCO Principles for Financial Market Infrastructures — the global standard for payment system design — treats finality as a foundational building block for risk management. A payment is ultimately a controlled ledger update with a legally meaningful endpoint. Until finality is achieved, the payment is provisional — it can be reversed, disputed, or unwound. After finality, it cannot. This distinction shapes everything from how long merchants wait to ship goods to how banks manage their overnight liquidity. The technology that achieves finality changes. The need for finality does not.
Risk categories. Every system that moves value creates four categories of risk: legal risk (will this transaction be enforceable?), credit risk (will the counterparty pay?), liquidity risk (will the funds be available when needed?), and operational risk (will the system actually work?). The PFMI framework calls for comprehensive management across all four. These categories are as true for a card scheme as for a fast-payment rail or a cross-border stablecoin corridor. The instruments change. The risk taxonomy does not.
Lifecycle phases. Authorization, clearing, settlement, exception handling. Every payment — card, transfer, direct debit, real-time — must be instructed, calculated, settled, and may fail. Visa's developer documentation confirms these distinct phases for acquirer processing: a transaction is authorized, then cleared (the financial details are exchanged), then settled (money moves between institutions), and exceptions are handled when something goes wrong. What changes is how fast the phases occur, how much data flows through each one, and who connects directly. Whether the phases exist is not up for debate.
Roles. Payer, payee, entities that authorize, route, settle, and handle exceptions. In a four-party card model, you have the cardholder, the merchant, the issuing bank, the acquiring bank, and the card network. In an instant payment rail, you have the sender, the receiver, their respective banks, and the clearing and settlement operator. Product names change constantly — Visa Direct, Mastercard Send, FedNow, PayNow. The functional roles behind them persist.
Economic structure. Someone pays to move money, and fees distribute across the ecosystem. In a card payment, the merchant service charge contains interchange (the issuer's share), scheme fees (the network's share), and acquirer processing costs. SIX Group — operator of Swiss payment infrastructure — documents this breakdown clearly: the total merchant fee is a composite of components allocated to different participants based on the value each provides. Fee rates shift. Regulatory caps alter the percentages. Litigation reshapes the boundaries. But the allocation structure — multiple parties sharing the cost of a value-transfer service — is stable.
Governance and rulebooks. Multi-party payment systems need agreed standards. Visa positions its operating rules as binding contracts supporting safety, security, integrity, and interoperability across the ecosystem. Mastercard frames its rules similarly. Beyond card networks, the Bank of England defines a payment system as a set of common rules, procedures, and technical standards combined with operators and infrastructure providers. Governance makes interoperability possible. Without shared rules, every bilateral relationship would need its own protocol — which is exactly what you see in fragmented markets before a central scheme or rail emerges.
Regulation as a constant. Governments always regulate how money moves. Singapore's Payment Services Act licenses seven categories of regulated payment services: account issuance, domestic money transfer, cross-border money transfer, merchant acquisition, e-money issuance, digital payment token services, and money-changing. The categories themselves are a signal of what endures — they map to functional activities (issuing accounts, moving money, acquiring merchants, handling tokens) that exist regardless of technology. Specific regulations change. The fact that value-transfer activities attract regulatory oversight does not.
| Constant | What It Means | Why It Persists |
|---|---|---|
| Settlement finality | Irrevocable, unconditional transfer of value | Legal certainty required for commerce |
| Risk categories | Legal, credit, liquidity, operational | Every value-transfer system creates these |
| Lifecycle phases | Auth, clearing, settlement, exception | Every payment must be instructed, calculated, settled, and may fail |
| Roles | Payer, payee, authorizer, router, settler, exception handler | Functional needs persist even as product names change |
| Economic structure | Fees distributed across participants | Moving value has real costs that must be allocated |
| Governance | Binding rules enabling interoperability | Multi-party systems need agreed standards |
| Regulation | Oversight of value-transfer activities | Governments always regulate how money moves |
Table 1: The Seven Constants of Payments. These structural properties hold across card networks, bank transfers, real-time rails, and emerging digital asset payment channels. Technology changes what sits inside each constant — not whether the constant exists.
The Things That Do Change
If the constants are the bedrock, the variables are the topsoil — always shifting, sometimes dramatically, but riding on stable foundations. Six buckets capture where to expect volatility.
Rails and service levels. The speed, availability, and settlement windows of payment systems keep expanding. The Clearing House's RTP network in the United States operates around the clock — 24/7/365 availability for real-time credit transfers. The Federal Reserve launched FedNow in July 2023, adding a second real-time rail. In Singapore, FAST (Fast and Secure Transfers) launched on 17 March 2014 and expanded to non-financial institution participants from February 2021, while PayNow offers near-instant transfers using alias-based addressing. Brazil's Pix, live since November 2020, processes more transactions than cards in the domestic market. Each new rail raises the baseline expectation: faster settlement, longer operating hours, more participant types. The underlying lifecycle — instruct, clear, settle, handle exceptions — remains. The service level at which it executes keeps moving upward.
Messaging standards and data requirements. This is the layer that creates the most migration work. Card ecosystems still rely on ISO 8583-style messaging — IBM describes it as the international standard for systems exchanging electronic transactions by financial institutions — in parts of the authorization chain. Cross-border banking has moved to ISO 20022, with SWIFT positioning it as the new global standard for payments and reporting. The CBPR+ coexistence period ended 22 November 2025, meaning old MT formats are now retired. What changes: field lengths, address structures (ISO 20022 requires structured addresses rather than free-text), remittance data capacity, and validation rules. What does not change: the purpose of the message (instruct a payment, confirm a settlement, report an exception).
Identity and addressing. How you identify a payer or payee is one of the fastest-moving layers. PayNow in Singapore uses alias-based addressing — your mobile number or NRIC (national identification number) maps to your bank account, so senders never need to know account numbers. Brazil's Pix uses similar alias keys. These overlay directories sit on top of existing account infrastructure, adding a usability layer without changing the settlement mechanics underneath. Expect this layer to keep evolving as wallets, biometrics, and digital identity standards mature.
Security technology. EMVCo reports over 12 billion EMV chip cards in global circulation — chip technology remains the anchor for in-person card security. EMV 3-D Secure supports strong customer authentication and two-factor verification for online card payments. Payment tokenization replaces PANs with constrained tokens that reduce the blast radius of a data breach. Each of these technologies represents a shift in how security is implemented. The security goal — verify the payer, protect sensitive data, prevent fraud — is a constant dressed in variable clothing.
Compliance demands. The goals of compliance — transparency, consumer protection, financial crime prevention, operational resilience — are constants (captured in our "regulation" constant above). But the specific implementation requirements change on public deadlines. FATF's update to Recommendation 16 in June 2025 tightened payment transparency requirements, specifically addressing fragmented transaction chains where multiple intermediaries handle portions of a payment. DORA — the EU's Digital Operational Resilience Act — entered application on 17 January 2025, imposing ICT resilience requirements on financial entities. PCI DSS v4.0.1's future-dated requirements went mandatory on 31 March 2025. Each creates a compliance program, a deadline, and a wave of operational change. The pattern is predictable even when the specifics are not.
Governance structures and economics. Who governs a payment rail, who can participate, and who pays whom — these are contested terrain. In Singapore, MAS and the Association of Banks in Singapore announced a new entity to consolidate scheme governance for domestic payments. In the United Kingdom, a tribunal ruled that Visa and Mastercard's interchange fees breached competition law — both networks are appealing. Fee structures, access rules, and scheme administration are political as much as technical. They shift when regulators intervene, when courts rule, when new participants demand access, or when market power rebalances. The existence of governance and economics is a constant. The specifics of who governs and how much they charge are among the most volatile elements in the system.
| Change Bucket | What Moves | Recent Example |
|---|---|---|
| Rails and service levels | Speed, operating hours, settlement windows | FedNow launch (July 2023); FAST NFI expansion (Feb 2021) |
| Messaging and data | Field formats, validation rules, schemas | ISO 20022 CBPR+ end of coexistence (Nov 2025) |
| Identity and addressing | Alias directories, proxy IDs, overlay services | PayNow mobile/NRIC aliases; Pix alias keys |
| Security technology | Auth methods, tokenization, device binding | EMV 3DS for SCA; EMVCo payment tokenization |
| Compliance demands | Data fields, transparency rules, resilience mandates | FATF R16 update (June 2025); DORA (Jan 2025) |
| Governance and economics | Access rules, fee structures, scheme administration | SG scheme governance consolidation; UK interchange ruling |
Table 2: Where to Expect Volatility. Each bucket changes on its own timeline, but the pattern is consistent: the implementation shifts while the underlying function remains stable. Knowing which bucket a change falls into tells you who owns the response and how deep the impact runs.
A Mental Model That Survives the Next Wave
The constants and variables map onto a layered architecture. Think of payments as a six-layer stack, with the most stable layers at the bottom and the most volatile at the top. When change arrives — a new regulation, a new rail, a new data standard — it almost always hits one or two layers, not all six. Knowing which layer is affected tells you how deep the impact runs.
Layer 1: Legal and governance. The foundation. What counts as a valid payment instruction. Who is responsible when something goes wrong. When settlement is legally final. The PFMI's emphasis on settlement finality illustrates why this layer sits at the bottom — without legal certainty about when a transfer is complete, nothing above it can function reliably. This layer changes slowly, through legislation and court rulings, not software releases.
Layer 2: Settlement. Central-bank-operated infrastructure — RTGS (Real-Time Gross Settlement) systems and their equivalents — where interbank obligations are discharged. Settlement in central bank money eliminates or reduces credit risk between participants because the settlement asset is the safest available. This layer changes when central banks upgrade their systems (which happens, but on decade-long timelines) or when new settlement models emerge (like the distributed settlement experiments in digital currency pilots).
Layer 3: Rail and scheme. The operating systems of payments. Card networks, instant payment systems, ACH operators, cross-border corridors. They codify message flows, participant access rules, exception handling procedures, and fee structures. Visa and Mastercard's substantial rulebooks — with regular "Summary of Changes" editions — are evidence of how central and how actively managed this layer is. It changes more frequently than settlement but less frequently than the layers above.
Layer 4: Messaging and data. Where most migrations happen. ISO 8583 in cards. ISO 20022 in cross-border and increasingly in domestic real-time rails. This layer moves because compliance requirements demand richer data, automation requires structured fields, and reconciliation needs consistent formats. The SWIFT ISO 20022 migration is a textbook example: the purpose of cross-border payment messaging did not change — the data structure that carries the message did.
Layer 5: Identity and security. EMV 3DS, payment tokenization, device binding, alias directories like PayNow and Pix. This layer often evolves faster than settlement or scheme rules because security threats evolve continuously and user-experience expectations ratchet upward. A new authentication method or a new tokenization standard can deploy in months, while a settlement infrastructure change takes years.
Layer 6: Product and experience. Checkout flows, wallet interfaces, recurring billing UX, pay-by-link, QR code payments. This is the layer customers see and the layer that changes most frequently. It rides entirely on the five layers below it. A beautiful checkout experience means nothing if the settlement layer cannot discharge the obligation or the governance layer does not recognize the transaction as valid.
Diagram 1: The Six-Layer Payments Stack. Stability increases from top to bottom. Product and experience (Layer 6) changes constantly; legal and governance (Layer 1) changes on legislative timelines. Most industry "disruption" hits Layers 4-6. True structural change — rare but profound — happens at Layers 1-2.
The key insight is not the layers themselves — it is the interfaces between them. Each layer's interface with the layers above and below it tends to be more stable than any single implementation within the layer. That is how the ecosystem absorbs massive change (like the ISO 20022 migration reshaping Layer 4) without reinventing payments from scratch. The messaging format changed. The rail's rules about what constitutes a valid payment instruction did not. The settlement mechanics did not. The legal framework for finality did not.
When you encounter a new "disruption" — a new payment rail, a new compliance requirement, a new checkout technology — ask: which layer does this change sit in? If it is Layer 5 or 6, the impact is real but bounded. If it is Layer 3, the operational implications are significant. If it touches Layers 1 or 2, pay very close attention — that is structural change, and it happens rarely.
How to Use This Chapter Depending on Who You Are
The constants, variables, and six-layer model are tools. How you use them depends on where you sit.
If You Are New to Payments
Start with the constants. Before you learn any specific rail, scheme, or compliance program, internalize the seven structural properties from earlier in this chapter: finality, risk categories, lifecycle phases, roles, economic structure, governance, regulation. These are your anchor points.
The PFMI framework and BIS glossary are worth reading — not for the regulatory detail, but because they define terms precisely. When "settlement" and "clearing" stop sounding like synonyms and start meaning distinct things, you have crossed an important threshold.
When you encounter a new payment rail or product — and you will, constantly — ask three questions: Where is finality achieved? What risks exist before finality? Who owns exception handling? Those three questions work whether you are looking at card payments, bank transfers, wallet transactions, or cross-border corridors. They cut through product marketing and get to the structural reality of how the system works.
Do not try to learn everything at once. The six-layer model gives you permission to ignore layers that are not relevant to your current role. If you are building checkout experiences, you live in Layers 5 and 6. You need to understand that Layers 1-4 exist, but you do not need to master RTGS settlement mechanics on day one.
If You Are a Merchant
Your surface area of change is bounded but operationally intense. Four levers stay relevant regardless of which payment methods you accept or which markets you operate in.
Compliance and security hygiene. PCI DSS v4.0.1 is the current example, but the pattern repeats: a security standard evolves, a deadline arrives, and your compliance posture either holds or does not. Build the muscle of continuous compliance rather than deadline-driven scrambles. The merchants who treated PCI v4.0.1's future-dated requirements as "we will get to it" were the ones scrambling in March 2025.
Rulebook-driven operations. Visa and Mastercard's "Summary of Changes" documents are your operational changelog. They affect dispute rules, data requirements, acceptance obligations, and product constraints. Assign someone to read the summary for each edition, assess impact, and route changes to the right owner. This is not glamorous work. It is the work that prevents surprises.
Cost structure literacy. The merchant service charge is a composite — interchange, scheme fees, and acquirer margin. Understanding the breakdown (which SIX Group and others document clearly) means you can negotiate intelligently, evaluate PSP pricing, and understand why your effective rate differs across payment methods, card types, and regions. When the UK tribunal ruled on interchange fees, merchants who understood the fee structure could assess the implications. Those who treated the MSC as a single number could not.
Local rails as strategic options. Real-time payment rails — FAST/PayNow in Singapore, RTP and FedNow in the US, SEPA Instant in Europe — offer different cost structures, different settlement timelines, and different refund mechanics than card networks. They are not drop-in replacements. PayNow transactions are irrevocable in a way that card payments (with their dispute mechanisms) are not. But they expand your payment mix and, in many markets, reduce your per-transaction cost. Evaluate them as infrastructure options, not just checkbox items.
If You Are a Payments Professional
You already know the constants — you live inside them. Your challenge is designing systems that absorb continuous change without breaking. Three patterns from recent change waves are worth internalizing.
Design for standards migration. The ISO 20022 hard cutover for SWIFT CBPR+ demonstrated that message schemas are not permanent. If your system treats a message format as a fixed structure baked into application logic, every migration is a rewrite. The alternative: treat message schemas as versioned contracts. Build translation and validation as first-class capabilities, not afterthoughts. When the next format migration arrives — and it will — your system absorbs it at the messaging layer without cascading changes into business logic.
Assume stronger data and transparency requirements. FATF's June 2025 update to Recommendation 16 is the latest example, but the direction is clear: regulators want more data about who is sending money, who is receiving it, and what intermediaries are involved. The update specifically addresses transparency in fragmented transaction chains where multiple intermediaries each handle portions of a payment. Design your data model to carry richer originator and beneficiary information than today's minimum requirements demand. The regulatory floor only moves in one direction.
Engineer operational resilience, not just uptime. DORA's application in January 2025 formalized what the industry was already learning from incidents: resilience is assessed end-to-end, not just at individual service boundaries. When Reuters reported on the CHAPS outage caused by a third-party supplier incident, the lesson was clear — your system's resilience includes your vendors' resilience. Build for graceful degradation, practice failover, and treat third-party dependencies as part of your operational perimeter, not as external concerns.
A Living Checklist
The constants give you stability. The six-layer model gives you structure. This checklist gives you a scanning discipline — five signal buckets to monitor so that change arrives as a known category, not as a surprise.
Rulebook change signals. Visa and Mastercard publish edition summaries covering dispute rules, data requirements, compliance programs, and product constraints. When a new edition drops, the question is not "did anything change?" — it always did. The question is "which of my operational processes does this affect, and who owns the response?" Assign rulebook review to a named owner with a standing cadence.
Messaging and data change signals. ISO 20022 milestones are the current headline, but domestic rails also enrich their data requirements over time. Watch for new mandatory fields, structured address requirements, and remittance data expansions. These changes affect reconciliation, reporting, and integration testing. The underlying principle: data is becoming infrastructure. Richer, more structured payment data enables better compliance, better fraud detection, and better reconciliation — which is why regulators and schemes keep demanding more of it.
Regulatory change signals. Three sub-categories to track: payments conduct regulation (like the EU instant payments mandate), operational resilience regulation (like DORA), and AML/payment transparency regulation (like FATF Recommendation 16). Each has a different regulatory body, a different compliance timeline, and a different operational owner. Tracking them in a single "regulatory" bucket means nothing falls between the cracks.
Access and governance change signals. Who can connect directly to a payment rail, and who governs the rail's rules? Singapore's FAST expansion to non-financial institution participants in February 2021 changed the access model. The MAS/ABS announcement of a new entity to consolidate domestic scheme governance changes the governance model. These shifts affect competitive dynamics, integration options, and long-term infrastructure strategy.
Economics and competition change signals. Litigation, regulatory actions, and policy reviews that reshape fee structures or acceptance rules. The UK tribunal ruling on Visa and Mastercard interchange fees — still being appealed — is the kind of signal that, regardless of final outcome, indicates where the political and economic pressure points lie. Watch for regulatory interchange caps, competition authority investigations, and scheme fee restructurings.
The checklist is not a prediction tool. It does not tell you what will change next. It tells you where to look so that when change arrives, you have already been watching the right layer.
The constants in payments are about finality, risk, roles, and governance. The variables are mostly the interfaces humans touch (product experience), the data that rides along (messaging schemas), and the rule constraints that keep the system safe (compliance requirements). Anchoring on the constants is how you stay effective while everything else keeps moving.
In Chapter 40, we turn this orientation into a practical reference: the payments change log — a structured timeline of the regulatory, technical, and industry changes that have shaped the modern payments landscape, and a template for tracking what comes next.
Sources
- Bank for International Settlements (BIS) — CPSS Glossary: definition of settlement finality as irrevocable and unconditional transfer
- CPMI-IOSCO — Principles for Financial Market Infrastructures (PFMI, 2012): settlement finality as risk management building block; comprehensive risk framework (legal, credit, liquidity, operational)
- Visa — Core Rules and Visa Product and Service Rules: binding contract framing, "Summary of Changes" by edition, interoperability standards; developer documentation on acquirer processing lifecycle phases
- Mastercard — Rules manual: standards supporting safety, security, integrity, and interoperability; "Summary of Changes" documentation
- Bank of England — Payment system definition: common rules, procedures, operators, and infrastructure providers
- SIX Group — Merchant service charge breakdown: interchange, scheme fees, and acquirer processing costs
- Singapore Payment Services Act (2019) — Licensing framework covering seven regulated payment service categories
- Monetary Authority of Singapore (MAS) — Regulated payment service categories; MAS/ABS scheme governance consolidation announcement
- Association of Banks in Singapore (ABS) — PayNow alias-based addressing (mobile/NRIC); FAST launch (17 March 2014) and NFI expansion (February 2021)
- European Union — Instant payments regulation: 9 October 2025 effective date for eurozone credit transfers
- SWIFT — ISO 20022 as the global standard for payments and reporting; CBPR+ coexistence end date (22 November 2025)
- PCI Security Standards Council — PCI DSS v4.0.1 future-dated requirements mandatory from 31 March 2025
- IBM — ISO 8583 as the international standard for electronic transaction exchange
- The Clearing House — RTP network: 24/7/365 real-time payment availability
- Federal Reserve — FedNow Service launch (July 2023)
- Central Bank of Brazil — Pix instant payment system (live since 16 November 2020)
- EMVCo — EMV Chip specifications (12+ billion cards in circulation); EMV 3-D Secure for strong customer authentication; payment tokenization specification
- FATF — Recommendation 16 update (June 2025): payment transparency requirements for fragmented transaction chains
- European Union — Digital Operational Resilience Act (DORA): application date 17 January 2025
- Reuters — CHAPS outage reporting (third-party supplier incident, 2024); UK tribunal ruling on Visa/Mastercard interchange fees (2025)