By Andreii Shevchuk, CTO & Partner, CONCRYT
As the UK’s Data (Use & Access) Bill 2025 takes effect, payments businesses have an opportunity to rethink how trust, identity, and innovation intersect. The Bill marks a fundamental shift in how customer identity is verified, data is exchanged, and digital trust is embedded into transactions across both regulated and unregulated markets.
At its core, the Bill aims to make data governance more dynamic, empower businesses to leverage data for innovation, and ease administrative complexity responsibly. For payments providers and merchants, this is a game-changer: reimagined infrastructure, more innovative access schemes, and legally backed digital identity frameworks could redefine how business is done in the UK.
UK Data Bill: What’s changing?
The UK’s Data (Use & Access) Act 2025 is essentially a strategic overhaul of how businesses access, verify, and leverage data in the digital economy. It’s designed to modernise the UK GDPR framework; the Act places innovation front and centre while reducing administrative friction.
Two standout reforms set the tone. First, a government-backed Digital Identity system to give businesses a legally supported way to verify customer identities – streamlining onboarding, reducing fraud, and embedding trust into every transaction.
Second, an expanded Smart Data initiative that builds on Open Banking to mandate broader data sharing across sectors like energy, telecoms, and retail. This will unlock new opportunities for personalised services and competitive agility.
Beyond these headline tools, the Act introduces a more pragmatic approach to data governance. It simplifies the rules around legitimate interests, allowing businesses to process data for fraud prevention, security, and direct marketing with greater confidence.
It also strengthens the ability to reject excessive or frivolous data access requests, aligning with the ICO’s guidance on “reasonable and proportionate” searches and, crucially, it clarifies the use of automation in decision-making, greenlighting AI-driven processes as long as transparency and human oversight are in place.
These changes will be phased in throughout this year and 2026, but I would encourage businesses to become early adopters. That way you won’t just be compliant, you’ll be faster, leaner, and better positioned to lead in a data-driven economy.
Why it matters to the payments industry – and you
For years, the payments sector has performed a tricky balancing act: pushing the boundaries of innovation while navigating the constraints of regulation. The new data act redraws that line with its new legal infrastructure.
At the heart of the reform is the UK’s new Digital Identity system, now backed by legislation and a statutory trust framework. This means customers can verify their identity once through a certified provider and reuse it across services—no more repeated document uploads or manual checks. For merchants and payment service providers (PSPs), this unlocks faster onboarding, lower fraud risk, and reduced exposure to sensitive data handling.
Smart Data & Automation
Then there’s Smart Data: think Open Banking but scaled across sectors. With high-assurance Digital IDs anchoring access, payments businesses can tap into real-time, verified data streams for risk checks, fraud detection, and hyper-personalised services. It marks an important shift from static compliance to dynamic intelligence.
The Bill also gives automation a green light. Previously, automated decision-making was tightly restricted under UK GDPR. Now, the Act permits broader use of AI-driven tools – as long as there’s transparency, human oversight, and safeguards in place. For payments firms, this means faster risk scoring, smoother onboarding, and more scalable operations.
Finally, the Bill tackles a long-standing operational pain point: frivolous data requests. Under the new rules, businesses can reject excessive or bad-faith DSARs (data subject access requests) without exhaustive justification. That’s more time spent on meaningful governance, less on red tape. DSARs are often costly and time-consuming due to the large volume of data typically involved, especially when businesses are required to conduct exhaustive searches. The Act now enshrines the principle of “reasonable and proportionate” searches, meaning organisations are no longer expected to comb through every byte of data to satisfy a request.
Together, these reforms signal a new era for payments, one where trust is programmable, identity is portable, and data is a strategic asset, not a compliance burden.
This Bill has come at a pivotal moment. Geopolitical tensions, growing fraud risks, and new digital payment channels are all reshaping the payments landscape. Consumers are demanding speed, trust, and seamless experiences. The regulatory environment is finally catching up.
From compliance to competitive edge: Your next steps
This isn’t a “wait and see” moment. The UK’s Data Act is already reshaping the payments landscape and smart businesses are acting on it now. Here’s what I would do to stay ahead of the curve:
- Start by mapping your identity flow. Onboarding remains one of the biggest friction points in payments, and the new Digital Verification Services (DVS) framework offers a way out. As certified providers begin to populate the government’s DVS register, businesses should identify where identity checks slow down conversion and plan for integration with trusted digital ID services that reduce fraud without compromising UX.
- Next, audit your DSAR processes. The Act introduces a “reasonable and proportionate” search standard for data subject access requests (DSARs), giving businesses firmer legal ground to reject excessive or bad-faith demands. Update internal policies now to reflect the new thresholds, and prepare frontline teams to triage requests with confidence.
- Automate KYC where possible. With the Bill greenlighting broader use of automated decision-making, payments firms can accelerate onboarding and risk scoring using AI-driven tools. Modern solutions that combine biometrics, document scans, and database matching are a strategic move.
- Revisit your legal bases for data use. The new “recognised legitimate interests” framework simplifies compliance for common use cases like fraud prevention, direct marketing, and intra-group data sharing. Businesses should reassess their data processing activities and update documentation to reflect the reduced need for balancing tests in these areas.
- Get systems ready for Smart Data. The expanded Smart Data initiative will mandate data sharing across sectors. Payments businesses should invest in flexible architecture that can plug into APIs, identity layers, and future data-sharing schemes.
This is your opportunity to lead
If digital trust is the new currency of global commerce, then identity is its foundation. By embracing the changes in the Data Bill, forward-thinking firms can set the standard for fast, secure, and customer-friendly payments in the UK and beyond.
The businesses that thrive in 2025 and beyond will be those that make digital identity and smart data work for them as tools for growth rather than just compliance.
About the Author
Andreii Shevchuk is CTO and Partner with
CONCRYT, a fintech leader offering end-to-end
payments and banking services.
Recent PaymentsNEXT news:
Three Key Questions to Consider for Payment Strategies in 2026