AgentSkillsCN

financial-regulation

在识别适用于软件支付处理、银行业务或金融数据处理的金融法规时使用此功能。涵盖PCI DSS、PSD2/PSD3、SOX、AML/KYC、多德-弗兰克法案、MiFID II、开放银行,以及各司法管辖区的金融科技许可。 适用范围:PCI DSS、PSD2、PSD3、SOX、AML、KYC、多德-弗兰克法案、MiFID II、开放银行、金融科技许可、支付处理合规、资金传输、加密监管。 不适用范围:支付网关集成(使用平台特定技能)、加密实施(使用安全/密码学)、金融数据建模(使用开发/后端/数据建模)。

SKILL.md
--- frontmatter
name: financial-regulation
description: |
    Use when identifying financial regulations that apply to software handling payments, banking, or financial data. Covers PCI DSS, PSD2/PSD3, SOX, AML/KYC, Dodd-Frank, MiFID II, open banking, and fintech licensing across jurisdictions.
    USE FOR: PCI DSS, PSD2, PSD3, SOX, AML, KYC, Dodd-Frank, MiFID II, open banking, fintech licensing, payment processing compliance, money transmission, crypto regulation
    DO NOT USE FOR: payment gateway integration (use platform-specific skills), encryption implementation (use security/cryptography), financial data modeling (use dev/backend/data-modeling)
license: MIT
metadata:
  displayName: "Financial Regulation"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Financial Regulation

Disclaimer: This skill provides general educational information about legal topics relevant to software development. It is not legal advice. Laws vary by jurisdiction and change frequently. Always consult a qualified attorney licensed in the relevant jurisdiction before making legal decisions for your organization.

Overview

Any software that touches money, financial data, or payment information is subject to significant regulation. The rules differ by jurisdiction, financial activity type, and whether you are acting as a principal or an intermediary. From card payment processing to cryptocurrency custody, the regulatory landscape is broad, overlapping, and carries some of the most severe penalties in all of technology law. Understanding which regulations apply to your product is the essential first step before writing a single line of payment-handling code.

Key Financial Regulations

RegulationJurisdictionScopeKey RequirementsPenalty
PCI DSS v4.0Global (card brands)Anyone storing, processing, or transmitting cardholder data12 requirements including encryption, access control, monitoring, and vulnerability managementFines up to $100K/month + losing ability to process cards
PSD2 / PSD3EUPayment service providersStrong Customer Authentication (SCA), open banking APIs, third-party accessRegulatory sanctions
SOX (Sarbanes-Oxley)USPublicly traded companiesIT controls for financial reporting, audit trails, CEO/CFO certificationCriminal penalties including imprisonment
Dodd-FrankUSFinancial institutionsConsumer protection, systemic risk oversight, derivatives regulationCFPB enforcement
MiFID IIEUInvestment firmsTransparency, best execution, reporting, investor protectionRegulatory sanctions
AML Directives / AMLD6EUFinancial institutions + cryptoCustomer due diligence, transaction monitoring, suspicious activity reportingCriminal liability
Bank Secrecy Act / FinCENUSFinancial institutions + MSBsSAR filing, CTR reporting, CIP, recordkeepingCriminal + civil penalties
DORAEUFinancial entities + ICT providersICT risk management, incident reporting, resilience testing, third-party riskRegulatory enforcement from January 2025

Money Transmission / E-Money

One of the most critical questions for fintech companies is: when does your application trigger money transmitter licensing? Many startups have been surprised to learn that holding user funds, facilitating peer-to-peer transfers, or offering crypto custody can require extensive licensing.

Licensing Requirements by Activity

ActivityUSEUUK
Holding funds on behalf of usersState money transmitter licenses + FinCEN MSB registrationE-money license (EMI) under EMD2FCA e-money authorization
Facilitating transfers between usersState money transmitter licenses + FinCEN MSB registrationPayment institution license under PSD2FCA payment institution authorization
Cryptocurrency custodyState money transmitter licenses (varies by state) + FinCEN MSB registrationMiCA crypto-asset service provider (CASP) licenseFCA registration under MLR

In the United States, money transmission is regulated at both the federal and state level. You must register as a Money Services Business (MSB) with FinCEN at the federal level, and then obtain individual money transmitter licenses in each state where you operate. Most states require separate applications, surety bonds, and ongoing compliance. This process can take 12-24 months and cost hundreds of thousands of dollars.

In the EU, the e-money and payment institution licensing framework under PSD2 and the Electronic Money Directive provides a more harmonized (though still complex) approach with passporting rights across member states.

In the UK, post-Brexit, the Financial Conduct Authority (FCA) maintains its own authorization regime, broadly similar to EU requirements but with diverging details.

Open Banking

PSD2 established the legal foundation for open banking in Europe, requiring banks to provide access to customer account information and payment initiation services through standardized APIs.

Key concepts:

  • AISP (Account Information Service Provider) — Third parties authorized to access account information with customer consent (read-only access).
  • PISP (Payment Initiation Service Provider) — Third parties authorized to initiate payments from a customer's account with their consent.
  • Screen scraping prohibition — PSD2 generally prohibits screen scraping in favor of dedicated APIs, though fallback mechanisms exist where APIs are unreliable.

API Standards by Region:

RegionStandardGoverning Body
EUBerlin Group NextGenPSD2Berlin Group
UKUK Open Banking StandardOpen Banking Implementation Entity (OBIE)
USFDX (Financial Data Exchange)FDX (industry-led, not mandated)
AustraliaConsumer Data Right (CDR)ACCC + Data Standards Body

Open banking is expanding beyond payments into "open finance," with PSD3 and the EU Financial Data Access (FIDA) framework extending data-sharing obligations to insurance, pensions, and investments.

Cryptocurrency and Digital Assets

The regulatory landscape for cryptocurrency and digital assets is evolving rapidly and varies significantly by jurisdiction.

Key regulatory frameworks:

  • MiCA (Markets in Crypto-Assets Regulation) — The EU's comprehensive crypto regulation, effective from 2024-2025. Establishes licensing requirements for Crypto-Asset Service Providers (CASPs), rules for stablecoin issuers (EMTs and ARTs), and market abuse provisions. This is currently the most comprehensive crypto regulatory framework globally.
  • United States — Regulatory jurisdiction remains contested between the SEC and CFTC. The SEC treats many tokens as securities under the Howey test, while the CFTC claims jurisdiction over commodities (including Bitcoin). State money transmitter laws also apply to crypto custodians and exchanges. The regulatory approach remains enforcement-driven rather than framework-driven.
  • United Kingdom — The FCA regulates crypto assets primarily through anti-money laundering registration. The Financial Services and Markets Act 2023 provides a framework for broader regulation.

Classification challenges: The treatment of stablecoins, DeFi protocols, and NFTs varies by jurisdiction. Stablecoins may be regulated as e-money, securities, or under bespoke regimes. DeFi protocols raise questions about who the regulated entity is when there is no central operator. NFTs may be treated as securities, collectibles, or something else entirely depending on their characteristics and how they are marketed.

PCI DSS Compliance Levels

If your software processes payment cards, your PCI DSS compliance level depends on your annual transaction volume:

LevelTransaction VolumeRequirements
Level 1Over 6 million transactions/yearAnnual on-site assessment by Qualified Security Assessor (QSA) + quarterly network scan by Approved Scanning Vendor (ASV)
Level 21 million to 6 million transactions/yearAnnual Self-Assessment Questionnaire (SAQ) + quarterly ASV scan
Level 320,000 to 1 million e-commerce transactions/yearAnnual SAQ + quarterly ASV scan
Level 4Fewer than 20,000 e-commerce transactions/yearAnnual SAQ recommended (requirements vary by acquirer)

PCI DSS v4.0 (mandatory from March 2025) introduces significant changes including customized validation approaches, expanded multi-factor authentication requirements, and new e-commerce anti-skimming protections. If you are still on v3.2.1, you must transition.

Best Practices

  • Always consult financial regulatory counsel before launching any product that touches money or financial data. Fintech regulation is one of the highest-penalty areas in technology law, with both civil and criminal exposure for non-compliance.
  • Map your regulatory obligations before writing code. Identify every jurisdiction where you will operate and every financial activity your product performs. The licensing requirements may fundamentally affect your product architecture and go-to-market timeline.
  • Design for PCI DSS compliance from the start. Retrofitting PCI compliance is extremely expensive. Minimize your cardholder data environment by using tokenization and hosted payment fields to reduce scope.
  • Implement robust KYC/AML controls. If your product involves money movement, you will almost certainly need identity verification, transaction monitoring, and suspicious activity reporting capabilities.
  • Maintain comprehensive audit trails. Financial regulators expect detailed logging of all transactions, access events, and compliance decisions. Design your data architecture to support this from day one.
  • Monitor regulatory changes continuously. Financial regulation is one of the fastest-moving areas of law, particularly around cryptocurrency, open banking, and AI in financial services.
  • Engage with regulators proactively. Many regulators offer sandbox programs, no-action letters, or guidance for innovative fintech products. Engaging early can save significant time and legal risk.
  • Plan for multi-jurisdictional compliance. If you operate across borders, you will face overlapping and sometimes conflicting regulatory requirements. Build your compliance architecture to be modular and jurisdiction-aware.