How to Manage Regulatory Requirements When Moving Money Globally

Here’s a look at some of these changes in regulations and trends regarding international payments that I just shared with attendees of Money 20/20 USA.

Peter Butterfield
Peter Butterfield
is the general counsel and chief compliance officer at Flywire, a specialist in international tuition payments.

Our global economy, alongside cybersecurity, anti-money laundering advances, technology innovation and privacy concerns — not an exhaustive list – has prompted significant changes to international financial highways that nobody dreamed of twenty or even five years ago. Moving money and conducting business internationally now require a platform and business understanding that are well-positioned and continually up to date with increasingly complex monetary and related regulations.

Billions of dollars are moved between hundreds of countries and territories annually, with significant regulatory changes taking place specifically across Europe, and also in China and Singapore. Here’s a look at some of these changes in regulations and trends regarding international payments that I just shared with attendees of Money 20/20 USA.

Certain International Payment Regulatory Changes You Should Know


Although Brexit has understandably dominated the news landscape and has very far-reaching impact for fintech and payment (as well as other) businesses, in 2015, the European Commission proposed a new overarching regulatory framework (PSD2) applicable to both consumers and businesses when sending and receiving currency. The PSD2 aims at enhancing consumer protection, promoting innovation and improving the security of payment services within the EU. In addition to a prohibition on surcharging payers under specified circumstances, one additional critical change was a requirement for stronger customer authentication (SCA), which follows modern cybersecurity best practices. Certain PSD2 requirements have gone into effect over the past two years but the strong customer authentication portion of PSD2 has been further delayed beyond its original effectiveness timing of September 2019.

Globally, the General Data Protection Regulation (GDPR) went into effect in May 2018, imposing a number of new requirements on businesses – including those in the payment space – in connection with the handling and processing of personal data (including about payers or recipients of payments).


Singapore's new Payment Services Act (PSA) passed in Parliament in January 2019. It outlined a new regulatory framework to both enhance payment services in Singapore, and regulate risk from money laundering, terrorist funding, insolvency, and cybersecurity. The PSA regulates seven categories of services: (1) account issuance, (2) domestic money transfer, (3) cross-border money transfer, (4) merchant acquisition, (5) electronic money issuance, (6) digital payment token services and (7) money-changing services. There are three types of licenses that may be required (absent an applicable exemption): (1) major payment institution, (2) standard payment institution and (3) money changing. The actual scope of application, permitted exemptions, and other details are still subject to consultation.


China's State Administration of Foreign Exchange (SAFE) is the country's foreign exchange regulatory agency and is an essential player in international financial markets. In light of economic slowdowns and trade tensions, China's banking system regulations have evolved to mitigate financial risks and clamp down on shadow banking, and its currency controls are also being more rigorously enforced. At the same time, China has also set forth requirements allowing foreign-owned businesses to obtain a payments license.

Currency Controls and Other Regulatory Requirements Potentially Impacting International Payment Companies

Financial regulators are duty-bound to consider public policy interests when considering changes to existing laws. They must strike a balance between consumer protection, fraud detection, prohibition of money laundering and terrorist financing, and the free flow of innovation in money management.

While lawmakers and governments do their best to understand the changing global Fintech and payments landscape, they also must embrace an understanding of consumer and business desires. There is a range of available ways to transfer monetary value – ranging from business storefronts to Venmo.

Currency Controls

Irrespective of the means by which money may be transferred, many forms of payments – depending on their nature – are subject to currency controls imposed by the originating country. Some forms of payments may be restricted, subject to annual or transactional limits, or require layers of bureaucratic paperwork and specific approval before transmission. For example, some payments with a purpose for education, healthcare, or tourism and travel may be permitted subject to limitations, but others (such as overseas real estate investments) may be completely prohibited. And several countries – in regions ranging from the Middle East to Africa and Asia, outright forbid any international financial transfers.

Additional Regulatory Requirements

Within this mix of rules, non-banking financial technology companies must comply with, and stay abreast of, other industry-specific privacy standards. Privacy regulations such as HIPAA and FERPA in the U.S. have strict guidelines concerning protection of personal information and storage. These limitations mean that healthcare billing information must be transmitted across secure connections to encrypted servers, and education records have exacting rules to follow to protect student's data.

Consumer protection concerns have also led to a flood of disclosure requirements, whether they be a part of a payment experience for financing healthcare obligations, or if a payments business wishes to market its services in new jurisdictions.

Garnering Customer Trust

It's not difficult for a customer to develop trust issues with a payment services provider. They are looking for a company with a firm grasp of international regulations that provides current information about payment scams and other fraud issues, active fraud monitoring, information about sanctioned countries, and anti-money-laundering policies.

A knowledgeable company will also understand the importance to a customer of protecting its data and those of its customer’s customers. Encryption standards and protections against denial of service are areas of frequent questioning. PCI/DSS compliance, obtaining privacy shield certifications and ensuring a SOC2 or SOC1 review can build a customer’s confidence that its payments and data are appropriately secure.

Another way to gain trust is to mitigate cyber risk through cybersecurity insurance. These policies are designed to reduce losses from data breaches, business interruptions, network damage, and disaster recovery.

Building Local Banking Relationships

Payment services providers can't work alone. They need to build relationships with banks and regulators, both domestic and foreign. Working together and respecting and implementing best practices is critical – agreeing and adhering to a compliance model and regular audits and inspections in a collaborative fashion.

International Presence

Lastly, when the time is right, payment service providers need to have personnel acting as the face of the company in countries where they operate. This measure helps to solidify regulatory compliance in operating countries, assures local language speakers are able to communicate with customers, partners, banks and regulators, and provides a hands-on way to build best practices.

This step is crucial to building a competent and trustworthy global payments network: hiring a great team and growing the business' infrastructure from the inside out.

I wanted to thank everyone who attended my session at the 2019 Money 20/20 USA conference in Las Vegas, NV. Additionally, I hope readers across the world have gained some additional knowledge from this piece.