Relevant to board and senior leaders responsible for leading the integration of financial services (i.e. embedded finance) into the commercial strategy of consumer businesses, especially in the retail sector.
At a glance
◼ Increasingly, consumer businesses are looking to integrate financial services, such as insurance or interest-free credit, into their online customer journeys - a strategy known as embedded finance.
◼ Embedded finance offers significant commercial benefits but also carries substantial regulatory implications for consumer businesses.
◼ Success will depend on a firm’s ability to skilfully navigate possible tensions between achieving their commercial goals and fulfilling their compliance responsibilities.
◼ Regulatory considerations will be crucial in shaping a firm’s strategic choices around risk appetite, product and partner selection, and market entry time. Overall, adopting an embedded finance strategy will likely require a substantial organisational and cultural shift.
◼ Therefore, consumer businesses should strategically assess the impact of financial services regulations right from initial strategy design through to developing detailed requirements for the customer journey. This will help ensure its long-term viability and success.
Many consumer businesses  are integrating financial services into their online customer experiences as part of their commercial approach. This strategy – known as embedded finance – helps businesses meet consumers’ growing demands for integrated digital experiences, boost their loyalty, and create new growth opportunities. We highlight some of the most common use cases to date in the table below, but new and wider applications continue to emerge.
To adopt embedded finance, consumer businesses typically partner with financial service providers with the necessary regulatory licenses, expertise, and resources. Nevertheless, in many cases, consumer businesses will also take on direct or indirect regulatory responsibilities. The rise of embedded finance has meant EU and UK scrutiny of the risks posed to consumers and markets has increased. Therefore, the current and evolving regulatory environment will have an impact on consumer businesses’ embedded finance plans, operations, and capability requirements.
In this article, we aim to support consumer businesses to understand this impact by exploring how embedded finance works and how it is regulated. We discuss why regulatory considerations are a critical element in informing consumer businesses’ strategic business choices. These include their risk and commercial appetite, which products to offer, who to partner with, and when to enter the market. We set out why factoring in key regulatory pressures and enablers from the outset will be critical to securing the long-term success of embedded finance strategies.
How does embedded finance work?
Embedded finance enables customers interacting with a consumer business to access pertinent financial services as part of the existing customer journey - without being redirected to a different website or app.
Figure 1 - Illustrative case study
Living UP – an omnichannel department store – partners with INC Bank to offer its online customers a range of credit options (e.g., Buy-Now-Pay-Later or other low/interest-free finance) at the point of sale (Figure 1). We will use this case throughout this article to bring some of the key regulatory considerations to life.
How is embedded finance regulated?
The specific regulatory requirements will depend on each embedded finance use case as financial services regulation is “activity based” rather than “entity based”. However, all use cases relevant to consumer businesses will typically need to comply with both financial services and data protection rules (Figure 2). Other rules, like competition law, might apply in specific situations, but we do not consider them here.
Figure 2 - High-level view of the embedded finance regulatory landscape
Data protection - Data protection will apply to any use cases where personal data is used. Consumer businesses will be familiar with data protection since they already handle customers’ personal data. However, embedded finance will often create complex data flows, as consumer businesses and their financial services partners share data for compliance or commercial purposes. Other third parties – e.g., as-a-service providers – may also be involved in storing or analysing personal data. And often, consumer businesses will share data protection responsibilities with these organisations about why and how to process customer data (i.e., joint data controllership). This complexity will make data governance and compliance in embedded finance more challenging.
Financial services regulation - Consumer businesses will typically be unfamiliar with financial services regulatory requirements. Financial services regulators use an “activity based” approach. So, the exact rules vary based on the product and services offered to consumers. But conceptually, they encompass two sets of rules. The first set governs how firms must behave to deliver good outcomes for consumers (conduct regulations). The second aim is to ensure firms remain financially and operationally secure (financial stability regulations). The financial services regulatory perimeter is the boundary determining which activities and, as a result, which entities are subject to these rules and direct regulatory supervision. The next section examines in more detail how the perimeter affects consumer businesses adopting embedded finance, either directly or indirectly.
Why do financial service regulations affect consumer businesses in an embedded finance model?
In embedded finance, a consumer business will, in effect, deliver the financial service to the customer (Figure 3). It will have significant control and influence over the customer digital experience and critical technology components (e.g., front-end website or App). This creates a model where consumer businesses and financial services providers often share responsibilities for regulatory compliance, such as customer communications and support and operational resilience.
Figure 3 - Consumer businesses act as an intermediary
The complexity of the shared responsibility model will depend on the use case. But in most cases, the financial regulatory perimeter will capture consumer businesses, either directly or indirectly (Figure 4).
Figure 4 - Consumer businesses and the financial services regulatory perimeter
Illustrative case study
Direct impact (Figure 4 – Scenario A) – Based on the terms of its partnership with INC Bank and the online user experience design, Living UP acts as a de facto consumer credit financial intermediary. This is a regulated financial services activity. Therefore, Living UP will need to obtain the relevant regulatory authorisation (for consumer credit provision) from the financial services regulator and will face direct compliance responsibility and supervision.
Indirect impact (Figure 4 – Scenario B) – Living UP does not conduct any regulated financial services activities, but it is still indirectly affected by financial regulation. For example, Living UP provides the front-end interface (i.e., website or App) for INC Bank to offer its credit services to customers. In regulatory terms, this means that INC Bank is outsourcing the provision of important technology services and critical elements relating to the customer experience to Living UP. This type of outsourcing is strictly regulated in financial services. To fulfil its compliance responsibilities, INC Bank could contractually require Living UP to share information, ensure minimum service levels and put in place contingency plans for operational disruption, for example. Similarly, INC Bank may also require Living UP to introduce positive friction in its user experience design so that customers can engage fully with the risk and benefits of the financial product.
The regulatory impact on a consumer business will depend in part on where an embedded finance use case sits within the spectrum of business complexity. The greater the complexity in terms of potential risks to the consumer or scale of adoption in the market, the greater the regulatory demands and scrutiny faced by the business (Figure 5). This correlation reflects the potential for harm to consumers and financial markets as evidenced, for example, by recent plans to regulate Buy-Now-Pay-Later services in both the EU and the UK.
Figure 5 - Business vs regulatory complexity of embedded finance use cases
As a starting point, consumer businesses must determine whether they undertake any regulated financial activities and therefore fall directly into the regulatory perimeter. Where they are in partnership with a regulated financial service firm, they will need to understand what the indirect regulatory-driven demands by their partner are likely to be. Indeed, the success of embedded finance partnerships relies on both parties understanding and agreeing on their regulatory roles and responsibilities from the outset.
Strategic choices for consumer businesses
Integrating financial services into a consumer business’ commercial strategy is not a one-size-fits-all process, as there are various use cases and constructs to consider. However, we believe it is essential for consumer businesses to carefully consider the impact of regulations on their cost-benefit analysis and the following strategic choices:
- Risk and regulatory appetite - Consumer businesses must determine the risk level and regulatory load they can accept to achieve their commercial objectives. For example, some embedded finance use cases will require them to become regulated financial entities. This would demand time and investment to build and maintain specialised compliance capabilities. Even when operating outside the financial services perimeter, they may still need to enhance their governance and risk management frameworks or respond to their financial partner's regulatory-driven demands. In general, adopting an embedded finance strategy will likely require a substantial organisational and cultural shift.
- Product selection - Increased business complexity can lead to a more intricate regulatory landscape, influencing the risk-reward balance. Firms should assess the regulatory challenges of each potential financial service offering and their ability to fulfil the applicable regulatory and compliance requirements. Starting with less risky, simple products may be beneficial, allowing compliance skills and capabilities to develop before introducing more complex products over time.
- Partner selection – Selecting the right embedded finance partners is vital for consumer businesses. The primary partner is the financial service provider, but choosing suitable third parties, like "as-a-service" providers, is also important. These relationships face significant supervisory scrutiny due to their influence on organisations' ability to meet their regulatory responsibilities. Opting for partners who are willing and capable of working collaboratively on regulatory and risk management matters on an ongoing basis is important. Additional key factors involve partners' understanding of the consumer business, cultural alignment, and shared long-term partnership goals.
- Timing – Decisions about when to enter the market must account for emerging policies that may increase regulatory pressures or provide added clarity and opportunities. Some policy developments, like Digital ID  or Open Finance , will create further opportunities for more customised or innovative services. Others, such as the regulation of Buy-Now-Pay-Later services, might affect the risk-reward balance of some embedded finance use cases. Consumer businesses should also assess the effect of regulatory requirements on their timelines from inception to launch. For example, securing a financial services regulatory authorisation could, in some cases, take over 12 months; while developing or enhancing risk and compliance capabilities may also require three to six months, depending on existing capabilities.
Successful embedded finance strategies will require consumer businesses to navigate between their commercial goals, fulfilling their regulatory and compliance responsibilities while remaining within their risk appetite. Adopting the right corporate culture and capabilities to balance these – often conflicting – demands will be essential to mitigate risk.
Taking a longer-term strategic view of regulations and considering them from the outset will help ensure that embedded finance strategies deliver over time. Among other things, this will require an effective regulatory horizon scanning capability to be able to spot, assess and respond to upcoming regulatory risks.
Where regulatory uncertainty emerges, early and constructive engagement with regulators will be critical, especially if a firm plans for embedded finance to become an important component of their business in the long term. Consumer businesses and their financial services partners could also consider using regulators’ innovation hubs or regulatory sandboxes. This would allow them to “kick the tyres” on the risks relating to their innovative business model early on before committing significant investment and resources.
Consumer businesses should take time to assess their options fully to avoid underestimating the initial and ongoing investment required to reap the benefits of embedded finance.
 Consumer business - A business that makes or sells products to a customer for their personal use rather than for resale or provides a service to a customer. The consumer industry includes establishments that manufacture, distribute and sell consumer goods, apparel, automobiles, as well as travel and hospitality services.
 Digital ID - A secure and verifiable electronic form of identification that can be used to access online services, verify age, and prove identity.
 Open Finance - Expected EU and UK regulatory initiatives that will give consumers and SMEs the right to authorise third parties to access their data their financial services account data (e.g., savings or insurance) and initiate transactions on their behalf. Open Finance is a planned expansion of Open Banking, which already applies to payment account data.