The continued acceleration of embedded finance seems inevitable.

Consumers want access to lending and payment options quickly, seamlessly and increasingly more from non-financial products, services and platforms they are more familiar with. For retailers, revenue growth is intrinsically linked to the ease and simplicity under which their customers can access money and pay for their goods and services.

One-click convenience using embedded finance is here to stay and we have almost reached the stage where blinking at your car’s dashboard could open up access to finance, insurance, electronic vehicle charging and other day-to-day consumer goods and services; all as you drive about earning personalised loyalties from connected platforms along the away. Clearly, the most successful providers will be those who accentuate the ease, simplicity and user experience for their customers to the next level through strong innovation and partnerships.

Industry players aspiring for long-term success must however carefully navigate the legal and regulatory complexities underpinning their embedded finance solutions and strategies, and their particular roles within the ecosystem. Those doing so pre-emptively will no doubt reap rewards down the line by driving consumer trust and loyalty through solutions that are compliant, secure and better tailored to their needs.

Regardless of the particular role your business plays supporting any embedded finance solution, here’s our take on some of the key legal and regulatory considerations to bear in mind:


The use and availability of embedded finance is contingent on smooth connections and data exchanges via APIs and cloud platforms. Contracts governing these areas should benefit from clear and robust terms regarding intellectual property and licensing, business continuity and disaster recovery, information security and service levels (including for uptime / availability, maintenance and incident response and resolution).


Embedded finance typically depends on consumer data being exchanged across multiple players to enhance the user experience and levels of access to products and services. The more intermediaries and partners involved, the greater the level of complexity. To analyse and protect against data risks, data protection impact assessments, data flow mapping and international data transfer agreements, particularly where multiple parties are involved across multiple countries, are key. Embedded finance solutions (and the contracts supporting them) should account for data protection compliance by design and clearly govern each party’s rights and responsibilities around data collection, processing, ownership, wider use, retention, transition and disposal.

Payments and regulations

Laws and rules regulating both lending and payments remain complex with differences from scheme-to-scheme and country-to-county. It is vital to map out the end-to-end payment and fund flows, to understand the roles and responsibilities of the different parties involved (particularly with regards to PCI DSS compliance) and to understand (and obtain) any requisite permissions / authorisations in relevant territories where regulated activities are undertaken, or otherwise design solutions to leverage any regulatory exemptions that might exist. In the UK, consumer interfaces, terms and materials should be designed around Consumer Duty principles. Regulated firms should also analyse and mitigate against any critical outsourcing risks, and payment scheme rules should be carefully reviewed to understand who can (and should) contract with end retailers receiving settlement monies, as the requirements around this can quickly become abstruse, especially where digital wallets, marketplaces, payment facilitation or payment orchestration is involved. • Fraud - As with any emerging technology, that underlying embedded finance is vulnerable to exploitation by fraudsters. As well as adhering to existing regulatory frameworks relating to anti-money laundering, know your customer requirements and consumer protection, solutions should be designed to smoothly interoperate with technical anti-fraud tools and measures (to practically reduce fraud risks in real time) and with data protection and information security at their core. Industry players should also keep a close eye on emerging APP fraud reimbursement rules to ensure any roles and responsibilities in this respect are fairly and appropriately allocated across any pertinent contracts supporting their solutions.


Artificial intelligence

To balance AI opportunities against the ethical, financial and compliance risks, businesses leveraging AI within embedded finance solutions (or within their particular roles within the ecosystem) should stay attune to the emerging regulations in this area. To assist with this, businesses should consider developing and maintaining robust governance frameworks designed to plan, implement and control their procurement and provision of both generative and traditional AI.



Embedded finance solutions providing consumers with broader and simplified access to goods, services and loyalties are built upon solid partnerships. To reinforce the strength of any partnerships, the contracts underpinning them should be clear, balanced, future-proofed (so far as possible) and of course legally compliant. Alongside key terms apportioning risk, liability, termination and other legal rights and remedies, commercial terms and SLAs should be structured to incentivise successful performance and long-term improvements, so that partners stay invested in their roles and in the ongoing development of any solutions depending on them.

Through our team of experts, TLT can help businesses operating across the different levels of the embedded finance ecosystem, providing the advice your organisation needs as you balance opportunities against the complex web of legal and compliance risks.

For further information or support, please contact a member of our team below.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Written by

Alex Williamson

Alex Williamson

Date published

10 June 2024

Get in touch


View all