Rekindling the Cross-Border Services Debate

Author: James Borley, Director, Payment Services

A recent enquiry from a former client regarding the ability of a European firm to provide payment services in the United Kingdom (UK) on a ‘cross-border’ basis prompted me to revisit a topic I last explored around the time of Brexit.

When the UK and the European Union (EU) concluded the Trade and Cooperation Agreement at the end of 2020, it was already clear that financial services had been deliberately excluded. Hopes that passporting might survive Brexit, even in a limited form, quickly faded. What followed was not a transitional limbo but a structural shift which, by 2026, has crystallised and become embedded within the financial services landscape.

In the early post-Brexit period, an asymmetry emerged that many firms found difficult to reconcile. Firms in the European Economic Area (EEA) could rely on the UK’s Temporary Permissions Regime (TPR), preserving a degree of continuity while seeking UK authorisation. By contrast, UK firms received no reciprocal accommodation within the EEA. Instead, they were placed in an uncertain regulatory environment shaped by ‘equivalence’, bilateral dialogue, and supervisory discretion. Five years on, it is clear that equivalence has proved narrow, politically contingent and often irrelevant for day-to-day market access.

In response, firms did what regulators on both sides of the Channel had encouraged, they restructured. Many UK-based financial institutions established authorised EEA subsidiaries, appropriately capitalised and staffed to meet local substance requirements. Where firms already operated EEA branches, the authorisation pathway was often straightforward. However, where they previously relied solely on cross-border provision of services, the need for restructuring and its legality were more ambiguous.

Having led the Passport Notification Unit at the former Financial Services Authority (FSA) and having worked closely with the European Commission on passporting guidance for payment services and e-money institutions prior to PSD2, I bring a historical perspective to this issue. That perspective remains relevant today, as EEA regulators in 2026 continue to “re-anchor” supervision around territoriality and control, while the UK Government appears to be seeking closer ties with its former European partners.

Forgotten Principles?

It is worth re-examining whether certain cross-border passport notifications, particularly those made under the freedom to provide services, were ever legally required in the first place.

This is not to suggest that passporting was fictitious or unnecessary across the board. Rather, it raises concerns about the gradual erosion of core principles that once governed when notification and authorisation were necessary.

A key starting point is the European Commission’s 1997 Interpretative Communication on the freedom to provide services under the Second Banking Directive. Despite its age, the Commission consistently affirmed during the drafting of the Payment Services Directive, the Second E-Money Directive, and PSD2 (as I witnessed first-hand), that its reasoning remained applicable to payment and e-money services, passportable activities under the EU’s banking framework.

The Communication presents a deceptively simple but essential point: one must determine from where the service is actually carried on.

It emphasises that only activities carried out within the territory of another Member State require prior notification. This determination hinges on identifying the place of the “characteristic performance” of the service, the essential supply for which payment is due. The presence of non-resident customers, advertising, or even the provision of internet-based services was explicitly stated not to be determinative. In the Commission’s view, a provider does not pursue activities in a customer’s jurisdiction merely because the customer is located there.

The logic is clear: if a service is provided entirely from the provider’s home state, and no activity takes place in the host state, then no passport notification is required. If no passport was needed originally, the loss of passporting rights post-Brexit should not, in principle, trigger a new authorisation requirement.

Notably, this reasoning has never been formally withdrawn.

Regulatory Drift after Brexit

By 2026, however, supervisory practice across the EEA has drifted markedly from this original framework. Member State competent authorities, bolstered by the European Supervisory Authorities’ push for supervisory convergence, have become less tolerant of so-called “empty perimeter” business models. The focus has shifted from where a service is technically performed to where risks arise, where customers are protected, and where supervisors can exert effective oversight.

This shift is evident across multiple regimes. Under MiFID II, the reverse-solicitation exemption has been almost extinguished in practical supervisory guidance. Under PSD2, regulators increasingly consider not just the mechanics of service delivery, but also how customers are acquired and serviced. Although MiCA and DORA are not directly concerned with passporting, they reinforce the same regulatory philosophy: operational and systemic risk justify territorial supervision.

Nonetheless, the underlying legal question remains unresolved.

Interestingly, the UK’s own Perimeter Guidance (PERG) continues to reflect the Commission’s original reasoning. As set out in PERG 15.6, “a payment services provider incorporated and located outside the UK” will generally not require authorisation if services are provided to UK customers solely on a cross-border, internet-based basis. In other words, the UK still applies the characteristic performance test, at least in theory.

Solicitation vs Characteristic Performance

The real fault line lies in the enduring divergence between Member States that continue to apply the Commission’s characteristic performance test and those that instead rely on a solicitation-based approach. Under the latter, any active marketing or outreach into another Member State may suffice to trigger local authorisation requirements.

This divergence has never been resolved and arguably matters more than ever. Some regulators now treat solicitation as equivalent to local presence, regardless of where the service is actually delivered, or indeed, whether the firm has any physical presence (which introduces a separate legal consideration altogether). Others, more quietly, continue to uphold the original analysis.

Reverse solicitation remains a theoretical option, but in practice has become a narrow and fragile defence. While most clearly recognised under MiFID II/III, regulators are increasingly hesitant to accept it in the payments or e-money context, unless the facts are exceptionally clear and meticulously documented.

Where Does This Leave Payments Firms?

The account closures and forced migrations that followed Brexit were not necessarily dictated by EU law but rather emerged as risk-management responses to regulatory uncertainty, particularly in jurisdictions favouring solicitation-based models. One could argue they were, at least in part, protectionist measures by Member States aiming to ‘punish’ the UK or defend their domestic markets: “This is a local shop for local people”, so to speak.

Even now, there is no comprehensive or authoritative list of Member States indicating which analytical approach they apply. The result is a fragmented regulatory landscape where legal theory and supervisory practice often diverge.

It remains legally arguable that some UK firms can still provide services into parts of the EEA on a purely cross-border, arm’s-length basis without local authorisation, provided the characteristic performance takes place entirely outside the EEA. However, that argument sits increasingly uncomfortably within a European regulatory culture that prioritises substance, proximity and oversight.

In practical terms, the only defensible route for firms considering such models is to obtain a detailed legal opinion for each relevant jurisdiction, an ongoing opportunity for legal advisers within the Payments Association, combined with a realistic understanding of local regulatory appetite. The law itself may not have changed dramatically, but regulators’ interpretations of it have. Today, that distinction matters less than ever.

How Complyport Can Help

At Complyport, we help UK and international payments and e-money firms navigate the complexities of cross-border regulatory requirements. Whether you’re assessing your ability to provide services into the EEA, seeking authorisation in the UK, or managing the evolving perimeter rules, our team of regulatory experts offers deep experience and strategic insight.

We can provide: