Regulations & Standards Index
PARTNERING WITH EXCELLENCE
Below are some key regulations in A24’s key locations concerning payments, privacy, and information security, along with links to relevant resources.
These regulations provide a comprehensive framework to these different areas in the various jurisdictions in which we operate:
Introduction
At A24, we understand the critical importance of compliance in an interconnected world, where organisations need to navigate complexities of payments, security, and privacy standards. This resource provides an index to essential frameworks like PCI DSS and ISO 2700x, alongside region-specific regulations and privacy laws that impact businesses.
1. Regulatory Compliance
Each jurisdiction has its own regulatory frameworks designed to protect consumer data, prevent fraud, and maintain financial system integrity. For example, in the United States, businesses must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which outlines specific requirements for safeguarding payment data. In the European Union, the General Data Protection Regulation (GDPR) mandates stringent rules for data protection and privacy, which significantly impact how companies handle customer information. Meanwhile, Australia's Privacy Act and APRA's CPS 234 regulation focus on data privacy and the security of financial systems. Companies that fail to meet these local or international standards risk regulatory penalties, including fines, operational restrictions, or even the loss of licenses to operate.
2. Mitigating Cybersecurity Risks
The payments sector is a prime target for cybercriminals due to the large volumes of sensitive data it handles. Data breaches and security incidents can have a profound impact on both consumers and businesses, leading to stolen funds, identity theft, and erosion of customer trust. Compliance with security standards such as PCI DSS, ISO 27001, and ISO 27002 helps organisations build robust security infrastructures. These standards provide guidelines on best practices for securing payment systems, encrypting data, managing user access, and monitoring for potential security incidents. By implementing these controls, companies can mitigate cybersecurity risks and reduce the likelihood of a breach.
3. Safeguarding Consumer Trust
Each jurisdiction has its own regulatory frameworks designed to protect consumer data, prevent fraud, and maintain financial system integrity. For example, in the United States, businesses must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which outlines specific requirements for safeguarding payment data. In the European Union, the General Data Protection Regulation (GDPR) mandates stringent rules for data protection and privacy, which significantly impact how companies handle customer information. Meanwhile, Australia's Privacy Act and APRA's CPS 234 regulation focus on data privacy and the security of financial systems. Companies that fail to meet these local or international standards risk regulatory penalties, including fines, operational restrictions, or even the loss of licenses to operate.
4. Enabling Global Operations
For businesses operating across multiple jurisdictions, understanding regional payment standards and privacy laws is crucial to ensuring seamless global operations. Each country or region may have unique requirements for how payments are processed or how data is transferred across borders. For instance, GDPR regulates how companies export personal data from the EU to countries that do not provide adequate privacy protections. The US, on the other hand, focuses heavily on protecting cardholder data. By being aware of these regulations, companies can ensure they are meeting all necessary compliance obligations and avoid disruptions to their business operations.
5. Avoiding Fines and Penalties
Trust is a critical currency in the digital economy. Consumers are increasingly concerned about how their personal information is handled, particularly in the context of online payments. Adherence to security and privacy guidelines helps reassure customers that their sensitive data is being protected. This is particularly important in highly regulated industries like financial services and e-commerce, where trust can directly influence purchasing decisions. Companies that are transparent about their commitment to security and privacy are more likely to attract and retain customers.
United
Kingdom
-
Regulates payment services and electronic money in the UK.
-
Governs financial services and markets, including payments.
Payment
Privacy
-
Implements the GDPR and regulates the processing of personal data in the UK.
Learn more about the legislation
-
While originally an EU regulation, it has been retained in UK law post-Brexit.
Information Security
-
Implements the EU NIS Directive and enhances cybersecurity across sectors.
-
A government-backed scheme to help organizations protect against common cyber threats.
Australia
-
Regulates payment systems in Australia and provides the Reserve Bank of Australia with powers to regulate those systems.
-
Amends various acts to regulate financial services, including payments.
-
APRA oversees banks, credit unions, building societies, insurance companies, and most members of the superannuation industry. It ensures these institutions meet strict financial and operational standards, including those related to payment operations.
APRA issues various prudential standards and guidelines to ensure the financial well-being of its regulated entities, which indirectly affects the payments industry by ensuring the stability and reliability of these entities.
APRA SPG280 – Payment Standards (June 2017)
APRACPS230 – Operational Risk Management (from July 1, 2025) (On 17 July 2023, APRA released this final new cross-industry Prudential Standard)
APRA CPS234 (July 2019)
-
ASIC regulates financial services and markets to ensure fairness and transparency.
Learn more on ASIC regulations
Key regulations under ASIC that affect the payments landscape include:
Corporations Act 2001: This Act covers the regulation of companies, securities, futures and the protection of consumers in the financial sector. It includes provisions for financial services licensing, conduct, and disclosure obligations.
National Consumer Credit Protection Act 2009 (NCCP): This includes the National Credit Code (NCC) and regulates consumer credit, affecting how credit products (including credit cards) are offered and managed.
-
The RBA has a significant role in the payments system, primarily through its Payments System Board (PSB), which is responsible for the stability of the financial system and the efficiency and competitiveness of the payment system.
Payment Systems (Regulation) Act 1998: This Act allows the RBA to designate payment systems that are significant to the Australian economy and oversee their management to ensure stability and efficiency.
Payment Systems and Netting Act 1998:This Act provides legal certainty for payment and settlement transactions, particularly in the event of insolvency.
Banking Act 1959: While primarily focused on the prudential regulation of banks, parts of this act are relevant to payments, especially concerning the holding of customer funds.
Credit Cards Regulatory Framework: Since the early 2000s the Bank has introduced a number of reforms which have regulated limited elements of designated credit and debit card systems, with the aim of improving the efficiency of the Australian payments system and promoting competition in the provision of payment services.
-
AUSTRAC is Australia's anti-money laundering and counter-terrorism financing (AML/CTF) regulator and financial intelligence unit.
Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act):This Act requires regulated entities to establish programs to identify, mitigate, and manage money laundering and terrorism financing risks. It also imposes reporting obligations on cash transactions and transfers of physical and digital currency.
-
The ACCC enforces laws to promote fair trading and competition, and consumer protection in the marketplace, including the payments sector.
Competition and Consumer Act 2010: This Act, particularly its Australian Consumer Law (ACL) schedule, impacts the payments landscape by ensuring that payment services are fair, transparent, and competitive.
-
The Australian Payments Network (AusPayNet) (formerly Australian Payments Clearing Association) is a self-regulatory body established by the payments industry to improve the safety, reliability, equity, convenience and efficiency of Australia’s payment systems. AusPayNet provides policy and regulatory based benefits for members while also administering procedures and regulations associated with various payment methods, including cards, direct debit and direct credit, cash, cheques and electronic funds transfers.
-
The CDR, which includes Open Banking under its umbrella, is an initiative that allows consumers better access to and control over their data. It mandates that financial institutions provide consumers with access to their data and the ability to safely transfer it to accredited service providers, promoting competition and innovation in financial services.
The CDR framework was first applied to the banking sector under the Open Banking regime in 2020, through which consumers can exercise greater access and control over their banking data.
-
Regulation through a proposed licensing framework for payment service providers.
Payments System Modernisation Consultation Paper December 2023
Payment
-
Regulates the handling of personal information by Australian government agencies and some private sector organizations.
-
A set of 13 principles governing standards, rights, and obligations around personal information.
Privacy
-
Establishes a framework for managing risks to the security and resilience of critical infrastructure.
-
Outlines the Australian government's strategy for improving national cybersecurity.
-
Provides guidelines for the security of government information and communications technology (ICT) systems.
Information Security
Japan
-
Regulates payment services and electronic money in Japan.
-
Governs the provision of funds transfer services and the issuance of prepaid payment instruments.
Payment
Privacy
-
Regulates the handling of personal information by businesses and government agencies.
-
Establishes the basic principles and frameworks for cybersecurity in Japan.
Information Security
-
Provides a framework for national cybersecurity policy and measures.
-
Issued by the Ministry of Economy, Trade, and Industry (METI) to help organizations develop their information security.
Summary
In summary, companies must understand and comply with the relevant payment, security, and privacy standards in the jurisdictions in which they operate to protect sensitive data, mitigate cybersecurity risks, and build consumer trust. Non-compliance can lead to severe consequences, including financial penalties and reputational damage, making it essential for businesses to prioritise compliance as part of their broader risk management strategies.
Version Control, Last updated by:
05/09/2024- V1 update, S. Tully