Imagine the situation: you launched a successful payment service, serve thousands of customers, and suddenly receive a letter from the regulator demanding that all processes be brought into compliance with new standards. Fines for non-compliance reach millions of euros, and adaptation deadlines are measured in weeks. This is not a hypothesis — it is the reality hundreds of companies faced in 2025.
European regulators have radically changed their approach to card issuance. Where requirements used to be relatively flexible, they are now strict and relentless. The tightening affects everything: from customer verification procedures to technological security standards, from sanctions restrictions to tax regulation. And this is only the beginning.
Why is this happening?
anti-money laundering, countering sanctions, protection against cyberattacks, all these factors have forced the European Central Bank (ECB) and the European Banking Authority (EBA) to rethink the entire regulatory framework for payment services. Companies that do not adapt risk losing licences, facing account freezes and reputational damage.
Over nine years of work COREDO we have helped over 500 companies from Europe, Asia and the CIS successfully register payment services and obtain the necessary licences. Our experience has shown that success depends not only on knowledge of the law, but also on understanding how regulators interpret these requirements in practice. In this article I will share what every entrepreneur planning to work with card issuance in Europe needs to know.
Issuance of EU payment cards: who controls?
The European financial regulatory system is arranged like a matryoshka. At the top level are supranational bodies, the European Central Bank and the European Banking Authority. They set common rules and standards. At the middle level operate national central banks and financial regulators of each country. They adapt European requirements to local conditions and conduct supervision. At the lowest level are the companies themselves, which must comply with all these requirements at the same time.
COREDO’s practice confirms: companies often do not understand exactly who supervises them. For example, if you register a payment institution in Spain, you will be supervised by the Spanish regulator (Banco de España), but at the same time you must comply with the requirements of the EBA and the ECB. This means you are subject to three levels of regulation at once.
Role of the ECB, EBA and regulators in card issuance
The European Central Bank focuses on macroeconomic stability and monetary policy. But in the context of card issuance its role is critical: the ECB sets requirements for payment systems, defines security standards and monitors systemic risks. When the ECB issues a recommendation, it is not just advice — it is effectively a mandatory requirement for all market participants.
The European Banking Authority (EBA) is the body that develops technical standards for payment services. The EBA issues regular updates that define exactly how companies must implement PSD2 (Payment Services Directive 2) requirements. For example, the EBA determines which customer verification methods are considered sufficient, which technologies should be used to protect data, and how to organize monitoring of suspicious transactions.
National regulators are those who issue licenses and carry out on-site supervision. They have some freedom in interpreting European requirements, but they cannot ignore them. For example, the Spanish Banco de España may set higher capital requirements than the minimum established by the EBA, but it cannot set lower ones.
COREDO’s solution for clients from different countries: we have created a requirements monitoring system that tracks changes at all three levels of regulation. This allows us to promptly inform clients about new requirements and help adapt their processes.
PSD2 and card issuance in 2025–2026
Payment Services Directive 2: this is not just a directive, it is a revolution in the payments industry. Entering into force in 2018, PSD2 redefined the rules of the game for all market participants. But in 2025–2026 its requirements became even stricter and more detailed.
The main principle of PSD2 is openness and competition. The directive requires banks to open access to accounts to third parties (Open Banking), so that payment services are available not only to banks but also to specialized payment institutions, and so that customers have a choice among different service providers.
For card issuers this means several key obligations. First, strong customer authentication (Strong Customer Authentication, SCA). This is not just a password — it is two-factor authentication that must be used for every transaction above a certain limit. Second, data security requirements. All card data must be stored encrypted, transmitted through secure channels, and processed in accordance with EMV and 3D Secure standards.
Third, Open Banking requirements. If a customer wants to connect your card to a payment aggregator service, you must provide an API for integration. This creates new opportunities but also new risks: you need to ensure that third parties meet security requirements.
COREDO’s practice has shown that many companies underestimate PSD2 requirements. They think that simply adding two-factor authentication is enough and that everything is fine. In reality, the requirements go much deeper. You need to review the entire system architecture, update processes, and train the team. We helped a Spanish company conduct a full compliance audit of PSD2, and it turned out they had more than 50 compliance gaps. After fixing these gaps the company not only avoided fines but also improved the user experience.
Sanctions restrictions and card issuance in 2025–2026
We need to be as honest as possible here: EU sanctions against Russian payment systems have created unprecedented challenges for companies working with cross-border payments. On 25 January 2026 the EU expanded sanctions against SPFS, SBP and the “Mir” system. This means that EU organizations can no longer use these systems, and companies working with payments must ensure that their customers do not violate sanctions restrictions.
For card issuers this creates a difficult situation. If you issue cards that can be used for payments through sanctioned systems, you may be held liable. This is not just a fine; it may lead to license revocation and criminal prosecution of company executives.
The solution developed by the COREDO team: we created a sanctions monitoring system that integrates with payment systems. The system automatically checks every transaction against sanctions lists and blocks suspicious operations. This requires investment in technology, but it is necessary to comply with regulator requirements.
In addition, companies must regularly update their sanctions policies. You need to clearly define which countries and companies you do not serve, which payment systems you do not use, and how you screen customers for sanctions restrictions. All of this must be documented and reviewed regularly.
AML requirements for card issuance in 2025–2026
Anti-Money Laundering (AML) is not just a set of rules, it is a philosophy that should permeate the entire organization. If in 2024 companies could treat AML as an administrative burden, in 2025–2026 it became a strategic priority.
Regulators tightened requirements because money laundering volumes are increasing. According to the International Monetary Fund, between 2 and 5% of global GDP is laundered each year. That’s trillions of dollars. And payment systems often become a channel for these operations. Regulators decided this must change.
Updated AML and KYC standards in the EU for card issuance
Know Your Customer (KYC) is the process by which a company identifies a customer and checks them for risks. In 2025–2026 the KYC requirements became much stricter.
Previously companies could use simplified verification for low-risk customers. Now all customers must undergo full verification. This means collecting not only passport details but also information about income sources, the company’s structure (if the customer is a legal entity), and beneficial owners.
For individuals the process looks like this: the customer uploads a copy of their passport, takes a selfie, and confirms their residential address. The system checks this data against databases (for example, against PEP lists, politically exposed persons). If the customer falls into a higher-risk category, additional verification is required.
For companies the process is much more complex. You need to collect incorporation documents, information about ownership structure, data on beneficial owners (Ultimate Beneficial Owners, UBO). You must check whether the company is connected to sanctioned countries or engaged in activities that could be linked to money laundering (for example, casinos, arms trading).
COREDO’s practice has shown that many companies underestimate the complexity of KYC for corporate clients. We helped a Lithuanian payment company develop a KYC process that includes 15 verification steps. It may seem like a lot, but it is necessary to meet regulatory requirements and to protect the company from risks.
Verification timelines have also tightened. Previously companies could complete verification within 10 days. Now verification is required within 2–5 days. This means investing in process automation. We recommend using digital identification systems (for example, eIDAS in the EU), which allow speeding up the verification process.
Reporting and monitoring of AML operations
If KYC is the entry check, then transaction monitoring is continuous supervision. Companies must establish systems that track all customer transactions and detect suspicious patterns.
What is considered suspicious? For example, if a customer suddenly starts making transactions totaling ten times more than usual. Or if a customer who lives in Europe makes payments to countries that are under sanctions. Or if a customer makes many small transactions that together add up to a large sum (this is called “structuring” and is a sign of money laundering).
Monitoring systems must automatically detect these patterns and generate alerts. Then a compliance specialist must analyze the alert and decide whether to file a Suspicious Activity Report (SAR) with the regulator.
Reporting is a critical point. If a company identifies a suspicious transaction, it must file a report with the regulator within a specified timeframe (usually 5–10 days). If the company does not file a report, it is considered a violation and can lead to fines.
COREDO’s solution for clients: we help companies implement monitoring systems that meet regulatory requirements. We also help develop procedures for analyzing alerts and preparing reports. This requires investment, but it is necessary to comply with requirements.
Risks and management of issuing corporate cards in the EU
Corporate cards are a special case. They are issued to companies, not individuals, and therefore require more thorough checks.
The main risk when issuing corporate cards is that the card may be used to finance terrorism or other illegal activities. For example, a company may be a front for money laundering. Or the card may be used to finance terrorist organizations.
To minimize these risks, companies must carry out enhanced verification for corporate clients. This includes checking the company’s ownership structure, verifying beneficial owners, screening against sanctions lists, and checking the company’s history.
In addition, companies should set limits on corporate card transactions. For example, a daily transaction amount limit, a limit on the number of transactions per day, and limits on transactions in certain countries.
COREDO’s practice has shown that companies that take risk management seriously gain an advantage. They avoid fines, they avoid account closures by banks, and they gain regulators’ trust. We helped a Spanish company develop a risk management system that includes automatic screening of all corporate clients. This led the company to identify several suspicious clients and avoid serious problems.
Registration of legal entities for card issuance in the EU
If you decided to launch a payment service with card issuance, the first question is: where to register the company? This is a critical decision that affects everything else: capital requirements, taxes, compliance requirements, and the ability to scale.
Selecting a jurisdiction to register a company for card issuance
There are several jurisdictions in the EU that specialize in payment services. Each has its own advantages and disadvantages.
- Spain: this is one of the most popular choices for startups. Capital requirements are relatively low (from €50 000 for a payment institution), the licensing process is relatively fast (3–6 months), and taxes are competitive. In addition, Spain has a well-developed ecosystem of payment companies, experienced consultants, and service providers.
- Lithuania: this is another popular choice. The Lithuanian regulator (Bank of Lithuania) is known for its progressive approach to regulation. Capital requirements are low, the licensing process is fast, and taxes are low. Lithuania is also known for its digital infrastructure and support for fintech companies.
- Luxembourg, this is a choice for companies that want to work with high-value assets. Capital requirements are high (from €1 million), but Luxembourg’s reputation as a financial center opens doors to attracting investments. Taxes in Luxembourg are also competitive thanks to tax incentives for financial companies.
- Cyprus: this is a choice for companies that want to work with clients from different regions. Cyprus has low capital requirements, a fast licensing process, and low taxes. In addition, Cyprus has good links with companies from Asia and the Middle East.
COREDO’s solution for clients: we help companies choose the optimal jurisdiction based on their goals, budget, and development plans. We have created a jurisdiction comparison matrix that includes capital requirements, licensing timelines, taxes, compliance requirements, and scalability options.
| Jurisdiction |
Minimum capital |
Licensing timeline |
Tax rate |
Compliance requirements |
Best suited for |
| Spain |
€50 000 |
3–6 months |
25% |
Medium |
Startups, scaling in the EU |
| Lithuania |
€50 000 |
2–4 months |
15% |
Medium |
Startups, digital solutions |
| Luxembourg |
€1 million |
6–12 months |
0.29% (with incentives) |
High |
Companies with high-value assets |
| Cyprus |
€50 000 |
3–6 months |
0% (on profit from investments) |
Medium |
Companies serving Asia and the Middle East |
Licensing and authorization for card issuance
obtaining a license for card issuance: this is a long and complex process. It includes several stages and requires preparation of a large number of documents.
The first stage is choosing the type of license. In the EU there are two main types of licenses for payment services: Payment Institution License (лицензия платежного учреждения) and Electronic Money Institution License (лицензия учреждения электронных денег).
- Payment Institution License: issued to companies that provide money transfer services, payment processing, and issuance of payment instruments (including cards). This is the most common license for companies that want to issue cards.
- Electronic Money Institution License: issued to companies that issue electronic money (for example, prepaid cards). This license requires higher capital and stricter compliance requirements.
The second stage is preparing documents. You need to prepare a business plan, a description of the technology architecture, descriptions of compliance procedures, risk management procedures, and customer service procedures. All these documents must be in the local language and must comply with the regulator’s requirements.
The third stage is submitting the application. The application is submitted through the regulator’s online portal. You need to fill out the form, upload documents, and pay the application fee (usually from €500 to €5 000).
The fourth stage is application review. The regulator checks the documents, may request additional information, and may hold a meeting with the company’s management. This stage can take from 2 to 12 months depending on the jurisdiction and the complexity of the application.
The fifth stage is receiving the license. If the regulator approves the application, the company receives the license. The license is issued for a specific period (usually 5 years) and can be renewed.
COREDO’s practice has shown that companies often underestimate the complexity of the licensing process. They think it’s enough to simply submit documents and wait for approval. In reality, you need to actively interact with the regulator, respond to requests, and provide additional information. We helped one Lithuanian company complete the licensing process in 3 months because we had prepared all documents in advance and actively engaged with the regulator.
Documents and the procedure for registering a legal entity
Before submitting an application for a license, you need to register the company. The registration process depends on the jurisdiction, but in general it looks like this:
Singapore, for example, demonstrates how to effectively organize company registration. The company registration process in Singapore is known for its speed and efficiency — most applications are approved within 15 minutes to 3 days after the fee is paid. Although Singapore is in Asia, its approach to regulating payment services can serve as a model for European jurisdictions.
In the EU the company registration process usually includes the following steps:
- Choosing the company name — ensure the name is unique and does not infringe third-party rights.
- Preparing incorporation documents: prepare the company’s articles of association, the decision to form the company, and information about directors and shareholders.
- opening a bank account — you need to open a bank account to deposit capital.
- Submitting documents to the company register — you need to file documents with the local company register (for example, in Spain this is the Registro Mercantil).
- Receiving the certificate of incorporation — after approval the company receives the certificate of incorporation.
Registration times vary from 3 to 7 days depending on the jurisdiction. After registration the company can apply for a payment institution license.
Technological requirements and safety standards for card issuance
Where technology used to be merely a tool for running a business, in 2025–2026 technology has become the foundation for regulatory compliance. Regulators now require companies to adopt specific technological standards and data protection methods.
Tokenization and contactless payments: what you need to know
Tokenization: this is the process by which real card data (number, expiry date, CVV) is replaced with a token, a unique identifier. A token can be used for payments, but if the token is compromised, the real card data remains safe.
EU regulators now require all card-issuing companies to use tokenization. This is not a recommendation — it is a mandatory requirement. Companies that do not use tokenization risk fines or losing their license.
Contactless payments are payments made without physical contact between the card and the terminal. This can be a payment via NFC (Near Field Communication), a payment via QR code, or a payment via a mobile app. Regulators require that all companies support contactless payments and that these payments be protected against fraud.
COREDO’s experience has shown that implementing tokenization and contactless payments requires significant investments in technology. Payment processing systems need to be updated, integration with payment networks (Visa, Mastercard) is required, and testing and certification must be carried out. But these are investments that pay off through reduced fraud and improved user experience.
