Auditability: the new UX

For a decade, payments competed on frictionless flow. Regulators are now competing on evidence. From safeguarding reform to AI review and Consumer Duty, the question is no longer “was it smooth?” but “can you prove what happened?” Auditability is becoming infrastructure.

For much of the last decade, payments innovation has optimised for friction.

One-click checkout. Tap to pay. Invisible recurring billing. Smooth onboarding.
Success was measured in conversion rates and milliseconds.

That era is not over. But it is no longer the only optimisation.

Across safeguarding reform, operational resilience, Consumer Duty and the FCA’s AI review in retail finance, regulators are converging on a different question:

Can you evidence what happened?

Not just to a customer.
To a supervisor.
To an insolvency practitioner.
To a court, if necessary.

UX still matters. But in regulated payments, UX that cannot be inspected is unfinished.

Where regulators are converging

Recent regulatory work across the UK has a common theme: outcomes must be demonstrable, not asserted.

The FCA’s strengthened safeguarding regime for payments and e-money firms places greater emphasis on reconciliation accuracy, record-keeping and evidence of segregation working in practice.¹
The independent review of the Payment and Electronic Money Institution Insolvency Regulations (PESAR) highlighted how data quality and operational readiness directly affect customer outcomes when firms fail.²
The FCA’s operational resilience framework requires firms to identify important business services and demonstrate they can remain within impact tolerances during disruption.³
The FCA’s current review into the impact of AI in retail financial services focuses explicitly on governance, explainability and consumer outcomes as autonomy increases.⁴

These are not isolated initiatives. They are variations on the same theme.

The regulator is less interested in how elegant your checkout is, and more interested in whether you can reconstruct events, allocate responsibility and return funds under stress.

What auditability actually means

Auditability is often confused with logging. It is not the same thing.

In payments, auditability means being able to answer - quickly and deterministically - questions such as:

Who authorised the transaction?
On what basis?
Under what consent object?
What authentication event validated it?
Where were funds held at each stage?
What rules applied at the time?
What happened when something deviated from the norm?

It implies:

Consent provenance - versioned, inspectable permission records.
Replayable authorisation events - authentication anchored in a third-party trust point.
Deterministic reconciliation - clear, timely mapping between customer funds and ledger positions.
Defined liability chains - not inferred responsibility.
Structured dispute flows - predictable evidence, not manual interpretation.

In short: systems that explain themselves.

Why some rails struggle

Legacy credential-based payment models were not originally designed around inspectable consent.

Cards, for example, evolved in an environment where:

the credential (card number) carried authority,
authentication mechanisms were layered on over time,
and dispute processes developed around chargeback frameworks rather than native consent objects.

These systems work - and at scale. But much of their audit logic is compensatory.

By contrast, open banking was designed around explicit authorisation events and bank-level authentication. Every payment initiation begins with a structured consent and a strong customer authentication (SCA) step validated within the payer’s banking environment.

That difference is structural.

It means that when regulators ask:

“Show us how this customer authorised this payment”

there is a native artefact to point to, not a reconstructed trail.

This does not make one rail inherently superior in every context. It does mean that, from an evidential standpoint, architecture matters.

The AI overlay makes this unavoidable

The FCA’s AI review underscores an emerging reality: when systems start recommending, prioritising or even initiating actions, evidential clarity becomes non-negotiable.⁴

In an AI-assisted payments journey, firms must be able to demonstrate:

how a decision was formed;
what data informed it;
what boundaries constrained it;
and where human confirmation intervened.

If a payment is initiated via opaque credential storage and heuristic risk scoring, evidencing intent becomes harder.

If it is initiated through an explicit, bank-authenticated consent object, evidencing intent becomes simpler.

As automation increases, the value of inspectable rails increases with it.

Consumer Duty and the burden of proof

The FCA’s Consumer Duty reframes regulatory supervision around good outcomes for retail customers.⁵

Outcomes cannot be demonstrated without evidence.

If a firm asserts that:

customers understood what they were authorising;
recurring payments remained within agreed parameters;
disputes were handled fairly.

then it must be able to prove those assertions.

Auditability should be the mechanism through which firms defend their design decisions.

The Asima view: design for inspection

For enterprise buyers, this reframes procurement.

The question is no longer just:

What is the conversion rate?
What is the unit cost?

It is also:

How easily can we evidence consent?
How quickly can we reconstruct events?
How transparent are fund flows?
How resilient is this under regulatory scrutiny?

As payment volumes scale - particularly with account-to-account models and commercial recurring payments - the operational and evidential burden increases, not decreases.

Auditability is becoming a competitive differentiator.

Not because customers ask for it in onboarding flows, but because regulators increasingly assume it exists.

The smoothest UX in the world cannot compensate for a system that cannot explain itself.

In 2026, the rail that wins is not the one that hides complexity best.
It is the one that can demonstrate control most clearly.

Footnotes

¹ Financial Conduct Authority. Strengthening the safeguarding regime for payments and e-money firms (PS23/7). Link

² HM Treasury. Review of the Payment and Electronic Money Institution Insolvency Regulations. Link

³ Financial Conduct Authority. Operational resilience: impact tolerances for important business services. Link

⁴ Financial Conduct Authority. Mills Review to consider how AI will reshape retail financial services. Link

⁵ Financial Conduct Authority. Consumer Duty: final rules and guidance. Link

Kieron James
February 2026

Recent posts

February 10, 2026

Fintech and open banking news: 01/26

January saw UK regulators clarify pricing for cVRP, Open Banking Limited mark eight years with 16.5m live connections, the PSR report strong APP-fraud reimbursements, the PRA finalise Basel 3.1 rules, and the Bank of England showcase Digital Pound Lab Phase 1.

February 05, 2026

Card fees, governance and rails

Recent PSR action on card fee transparency is not just about cards. It is a signal to buyers to think harder about governance, accountability and long-term cost when choosing payment rails, including open banking and cVRP.

January 29, 2026

The FCA’s AI review and payments: friction is a foundation

The FCA has launched an AI review in retail finance. For payments, the issue is not autonomy but control. Open banking, with native consent and strong customer authentication (SCA), offers a foundation that aligns with emerging regulatory expectations.

January 22, 2026

Pricing clarity for open banking: FCA and PSR signal regulatory support for UKPI’s commercial model

The FCA and PSR have clarified their position on open banking pricing models for commercial VRPs. This post explains what that means for UKPI, infrastructure providers and enterprise buyers making long-term cVRP decisions.

January 15, 2026

Contactless caps are going. SCA isn’t.

As the FCA removes fixed contactless limits, card payments rely on ever more compensating controls to manage fraud. Open banking takes a different path: embedding strong customer authentication at the bank layer. This post explains why the difference matters for security, UX and recurring payments.

January 13, 2026

Fintech and open banking news: 12/25

December brought concrete delivery signals for commercial VRP in the UK, alongside a major shift on contactless limits and renewed focus on safeguarding and insolvency outcomes for payments firms. Here are the stories that matter, with an Asima infrastructure lens.