Back to Blog

Finovate Global: Talking Fintech Regulation in the European Union with EverC’s Maya Shabi

Finovate Global: Talking Fintech Regulation in the European Union with EverC’s Maya Shabi
By David Penn Posted on
Categories: Finovate Global, Interview

The regulatory landscape for fintechs and financial services companies operating in the European Union is expected to undergo significant changes this year, with new standards, guidelines, and rules governing payments, data privacy, digital assets, and more.

In this week’s edition of Finovate Global, we caught up with Maya Shabi, Senior Risk Strategist with EverC, a firm that provides tech-driven risk management solutions for ecommerce companies. In our extended conversation, Shabi discusses the policy and regulatory changes that are expected in the EU in 2025, what these changes are designed to achieve, and how they will impact fintechs, financial services companies, and their customers.

Founded in 2015, EverC offers a fully-automated, AI-driven, cross-channel risk management platform that helps drive growth for innovators in the online seller ecosystem. With domain expertise in risk intelligence, data science, and payments, EverC scans 30 million items a day — more than 10 billion products since inception — helping businesses detect and remove high-risk merchants, products, and services so they can safely grow and expand into new verticals and new markets.

In your opinion, did the regulatory environment of 2024 help or hinder innovation in fintech and financial services in the EU?

Maya Shabi: The EU’s regulatory push has been a double-edged sword for innovation in fintech and financial services. On the one hand, clear and consistent rules across member states have lowered barriers to entry, making it easier for fintech companies to collaborate, innovate, and scale across the EU. On the other hand, tighter regulations come with higher compliance costs and can limit the flexibility that’s often critical for driving rapid innovation. Given how quickly crime risks evolve in the financial sector, especially with the advent of AI, I see the overall impact of EU regulations as balanced — supporting innovation in some areas while slowing it down in others.

One early issue will be compliance with the Instant Payments Regulation (IPR). What is this policy about? What are the implementation challenges and what are the opportunities for those that get it right?

Shabi: The Instant Payment Regulation (IPR) is designed to make instant euro payments secure and accessible across the EU. Its goal is to modernize the region’s payments landscape by improving the speed and efficiency of transactions within the Single Euro Payments Area (SEPA). SEPA is a broad payment integration initiative that allows consumers and businesses to make cross-border euro payments under the same conditions as domestic transactions, simplifying and unifying payments across EU member states and a few neighboring countries.

With the IPR in place, PSPs must offer instant payment services that process transactions within 10 seconds and are available 24/7 for all euro payments. For European consumers, this means faster, more reliable payments without delays —even during weekends or holidays. It enhances convenience, supports smoother online shopping experiences, and improves cash flow for businesses by eliminating waiting times for fund transfers.

Implementing the IPR presents several challenges for PSPs and other financial institutions. Many FIs need to significantly upgrade their payment processing systems to handle real-time transactions, which also need to uphold fraud detection and AML/CTF rules in real time. The cost of upgrading systems alone is huge, not to mention the added technical challenge of ensuring interoperability between different PSPs and banks across borders. I think it’s pretty safe to assume that not all FIs have the same level of digital maturity, leaving many to play catch-up.

That said, there are several opportunities for those who comply with the IPR sooner rather than later. Early adopters of IPR-compliant systems can position themselves as leaders in innovation and customer service. Offering seamless, instant payments can attract more customers and build trust. Additionally, faster cross-border payments lower barriers for businesses to expand across the EU.

Another policy that will kick in early in 2025 is DORA, the EU’s Digital Operational Resilience Act. What does this policy call for and why is it important?

Shabi: The Digital Operational Resilience Act (DORA) is a pivotal regulation aimed at strengthening the financial sector’s ability to withstand digital disruptions and cyber threats. It sets clear IT security standards, focusing on managing information and communication technology (ICT) risks, improving incident reporting, and overseeing third-party ICT service providers. Financial institutions will be required to assess “concentration risk” when outsourcing critical or significant operations to external vendors.

For some added context, the EU’s General Data Protection Regulation (GDPR) emphasizes protecting personally identifiable information (PIII) through consent and data security, whereas DORA shifts the focus to the digital supply chains of financial institutions. This introduces a new and potentially more challenging regulatory environment that pushes firms to strengthen their defenses against IT disruptions. It is designed to prevent major outages, like the devastating CrowdStrike software update last summer, from crippling banking, payment, and investment services. Under DORA, similar service interruptions will be met with stricter oversight and accountability, driving firms to prioritize digital resilience. Otherwise, non-compliance could lead to fines of up to 2% of a firm’s annual global revenue, and individual managers could face personal penalties of up to €1 million for breaches.

In terms of new open banking regulations, what are your expectations?

Shabi: Open banking regulations opened the door for greater innovation and competition, but they also brought meaningful friction as FIs worked to keep up with rising fraud risks. Under the EU’s Second Payment Services Directive (PSD2), banks are required to share customer data with third-party providers through APIs — a move that, while promoting transparency and choice, also widens the attack surface for cybercriminals. It increases the risk of data breaches, identity theft, and payment fraud.

To counter these threats, PSD2 and its upcoming successor, the Third Payment Services Directive (PSD3), mandate stronger security measures like enhanced customer authentication and tighter oversight of third-party access. While these safeguards are critical, they can slow down user experiences and complicate partnerships. Still, this added friction is necessary to strike a balance between the advantages of open banking and the growing need to protect consumers and the broader financial system. Given that the PSD3 is expected to take hold in late 2025 or early 2026, FIs must prepare to ensure they remain compliant.

The EU AI Act passed in 2024. What kind of impact will this regulation have in 2025 and what should companies in financial services be doing now?

Shabi: Governments worldwide are racing to regulate the perceived risks of artificial intelligence. The US issued an AI Executive Order, the UK released a non-binding Declaration of Principles, and China introduced what appears to be a business-friendly AI framework. The EU’s AI Act marks the most significant step yet toward bringing structure to an industry that has largely operated like the Wild West, at least for now.

What makes the EU AI Act stand out is its risk-based approach. Instead of applying blanket regulations to all AI technologies, it scales oversight based on the potential for societal harm — the greater the risk, the stricter the rules. This method strikes a crucial balance between fostering innovation and protecting fundamental rights. In the payments industry, we’re no strangers to how effective a risk-based framework can be when navigating the fine line between managing risk and driving innovation.

Notably, over 100 companies – from global corporations to smaller financial institutions – have already pledged to comply with the AI Act ahead of its full enforcement. This early buy-in signals broad industry support or, at the very least, an interest in collaboration. Even critics who argue the law is either too sweeping or too narrow recognize that engaging with regulators and key stakeholders is often the smarter path. By collaborating early, companies can help shape the conversation surrounding AI instead of being sidelined and forced to comply without having a voice.

Other areas that are likely to receive regulatory scrutiny in 2025 in the EU are crypto and Buy Now Pay Later (BNPL). What developments are most likely for businesses in these spaces?

Shabi: Complying with the MiCA framework is the first thing that comes to mind when cryptocurrency and the EU are mentioned in the same sentence. MiCA is the EU’s first comprehensive legal framework for crypto assets that introduces clear and consistent rules across member states. Although it’s been in development for several years, key compliance deadlines took effect in 2024 and will continue through 2025. We’re already seeing major crypto firms like Coinbase adjusting their operations to meet MiCA’s requirements, while others are reassessing their market strategies — some even shifting focus to countries with more relaxed crypto regulations. For any crypto business operating in the EU, heavy compliance standards are becoming the norm, much like other industries that come with significant AML/CTF risks.

BNPL, however, presents a different regulatory challenge. In many ways, BNPL is just a modern spin on subprime lending — a long-standing issue in financial services when it comes to consumer protection. The explosive growth of BNPL services has raised concerns about rising consumer debt, as the lack of transparency about fees, terms, and penalties leaves consumers exposed to hidden costs. Additionally, weak credit checks and poor due diligence practices heighten the risk of users falling into financial overextension. These issues harm individual financial stability and pose systemic risks, especially since BNPL providers often operate across borders with inconsistent oversight.

To address these concerns, regulators across the globe are scrambling to regulate BNPL providers similarly to traditional credit frameworks. EU regulators updated the Consumer Credit Directive to strengthen consumer protections in the credit market, explicitly covering BNPL services. For businesses operating in this space, this means significant regulatory changes are on the horizon. EU member states must implement the directive into national law by November 20, 2025, with full enforcement beginning on November 20, 2026.

By this time next year, what areas of fintech/financial services do you think will have benefitted the most from greater regulatory clarity? Where do you anticipate that more work will be needed?

Shabi: By this time next year, crypto-assets, payments, and RegTech will likely be the biggest winners from greater regulatory clarity in the EU. The full rollout of the MiCA will finally bring consistency across member states, giving crypto firms the green light to develop secure, consumer-friendly products without second-guessing compliance. Likewise, updates to the Payment Services Directives are set to streamline open banking, tightening data security while making it easier for fintechs to access and use consumer data — fueling innovation in payments.

Simultaneously, the growing complexity of EU compliance is driving up demand for RegTech solutions. Fintech companies offering tools to automate compliance, manage risk, and strengthen cybersecurity will be well-positioned for growth as firms scramble to meet evolving requirements under regulations like DORA as well as AML/CTF directives. Ideally, this regulatory progress will create a more stable, trustworthy environment that supports responsible innovation across the financial sector.

However, several areas still need more attention. The EU AI Act doesn’t fully address how AI is used in financial services — especially in critical areas like credit scoring and fraud detection — leaving gaps around transparency, data use, and risk management. Cross-border payments and digital identity systems also remain fragmented, making it harder to streamline transactions and verify users across the EU.

Emerging asset classes like NFTs and tokenized assets are another blind spot, lacking comprehensive oversight and leaving both consumers and markets exposed to risk. Smaller fintechs, too, may struggle to keep up with strict cybersecurity and operational resilience requirements under DORA, highlighting the need for more scalable compliance pathways.  Closing these gaps will be key to ensuring the EU can balance innovation with long-term financial stability and consumer protection.

How will this evolving regulatory landscape impact your customers and the work EverC does for them?

Shabi: As platforms and payments continue to evolve, bringing more of our finances (and our lives) online, fraudsters will continue to exploit these opportunities, and regulators will continue to create structures to protect consumers. The evolving regulatory landscape is a challenge that marketplaces and payment providers must meet to continue doing business successfully.

The cost of noncompliance — in terms of enforcement actions and fines, lawsuits, decreased revenue, and loss of reputation and consumer trust — will always outweigh the cost of creating and maintaining a solid risk and compliance strategy. With technology, we can fight fraud and make ecommerce and digital finance safer while allowing our customers to benefit from operational efficiencies and more effective resource allocation.

EverC enables payment providers, ecommerce players, and financial institutions to meet these challenges with customer-centric innovation. That innovation is accelerated with the power of GenAI for scalable, tech-forward solutions. Our experts stay current with regulatory trends so we can anticipate and meet our customers’ needs as they navigate this rapidly evolving landscape.

Here is our look at fintech innovation around the world.

Sub-Saharan Africa

Central and Eastern Europe

  • German fintech 21X partnered with AllUnity, a joint venture between DWS, Flow Traders, and Galaxy Digital.
  • Lithuania-based Urbo Bank (formerly Medicinos Bankas) announced a collaboration with certified payment technology company DECTA to go live with Visa card issuing services.
  • German climate fintech Bees & Bears raised $525 million (€500 million) to fund renewable energy installations in Germany.

Middle East and Northern Africa

  • Dubai-based cybersecurity firm CyberHive inked a Memorandum of Understanding (MoU) with business planning and operations smart solutions provider Meerana.
  • Israel-based conversational AI innovator and Finovate Best of Show winner eSelf.ai raised $4.5 in seed funding.
  • Egyptian financial services company Paymob secured a Retail Payment Services (RPS) license from the Central Bank of the UAE.

Central and Southern Asia

Latin America and the Caribbean

  • Brazilian fintech Nubank partnered with Mexican convenience store chain Oxxo to expand its cash deposit and withdrawal network.
  • El Salvador bought twelve Bitcoin this week despite an agreement with the International Monetary Fund (IMF) to reduce its activity in the cryptocurrency market.
  • Revolut applied for a banking license in Colombia.

Asia-Pacific

  • Philippines-based Netbank partnered with Discovery Credit Solutions Corporation (DCSC) to launch a new solution to optimize loan management.
  • South Korea’s Personal Information Protection Commission (PIPC) fined KakaoPay and ApplePay $5.8 million for violations of the country’s Personal Information Protection Act.
  • Revolut launched its robo-advisor service in Singapore.

Photo by Marco

Views: 203

Share this:

Send Post Twitter LinkedIn Facebook