I regularly hear the same question from entrepreneurs: how to launch BNPL in Europe and the United Kingdom so that regulators support the model and the unit economics don’t fall apart? Since 2016 the COREDO team has been helping businesses register legal entities in the EU and Asia, obtain financial licences, build AML compliance and enter new markets without pauses in operations. During this time we have run dozens of “buy now pay later” projects and can see how quickly BNPL regulation is changing in Europe and the United Kingdom.
In this article I have put together a practical guide: from choosing a jurisdiction and structure to suitability/unsuitability algorithms, integration with credit bureaus and preparation for the FCA’s BNPL requirements for 2026. I deliberately use plain language and provide specifics from our practice so that you can make decisions as soon as tomorrow.
Changes in the market and regulatory framework
BNPL regulation in Europe is becoming stricter due to the EU Second Consumer Credit Directive, which expands coverage to small loans and installment plans. This means tougher requirements for creditworthiness assessment, tariff transparency, disclosure of terms and the procedure for transferring data to credit registers. National competent authorities for BNPL in the EU: Finantsinspektsioon (FI) in Estonia, KNF in Poland, the Central Bank of Cyprus and, in some entities with an investment component, CySEC. We take into account that the directive’s rules are mandatory, while enforcement practices and thresholds are national.
For me, there’s one key trend: compliance has stopped being a «costly add-on»: it has become a product feature and a competitive advantage. The solution developed at COREDO is usually built around the principle «compliance‑by‑design»: KYC, AML and suitability processes are embedded in the sales funnel rather than bolted on.
Jurisdictions and models: where to get a license
I often suggest starting with two basic scenarios: Licensing BNPL in the EU via Estonia or Cyprus, or a focus on Poland when planning active localization. This is not a universal truth, but COREDO’s practice confirms: this makes it easier to balance speed of launch, substance requirements and the possibility of cross‑border expansion.
- BNPL financial license — Estonia. Estonia provides a clear dialogue with FIs, developed open banking practices and a mature e‑government infrastructure. With proper preparation, a cross‑border BNPL license from Estonia and Cyprus allows entry into 5–10 EU countries with minimal fine‑tuning. At the same time, you need to take into account local “threshold” exemptions and notifications.
- Cyprus. For classic BNPL without investment instruments, supervision is carried out by the Central Bank of Cyprus. A CySEC BNPL license in Cyprus comes into play when the structure includes an investment component (for example, a credit fund, portfolio securitization or the use of investment intermediaries). The COREDO team has implemented several projects where coordination with both regulators was required.
- Poland. KNF BNPL regulation in Poland is among the most demanding when it comes to pricing transparency, financial promotion and PKD/activity codes. For merchant platforms the Polish market delivers high conversion, but requires thoughtful localization and integration with local registers.
- United Kingdom. Authorization focuses on consumer lending and financial promotion. The Temporary Permissions Regime (TPR) for BNPL is currently available in a limited way, effectively for companies that entered the regime earlier or acquire a business already in TPR. COREDO practice: parallel registration and application to the TPR is possible in an M&A structure, which minimizes downtime when entering the UK.
Registration of a legal entity and substance tests
legal entity registration for BNPL in the EU is not a formality. Regulators check substance requirements when registering a legal entity in the EU: the presence of a local office and staff for the license, economic activity, and that key decisions are made on the territory. I plan in advance:
- a physical office and SLAs with providers, confirming operational resilience;
- specialized staff: MLRO/Compliance Officer, Risk, Head of Operations;
- a local board of directors with relevant expertise and an independent director.
The structure of the charter and activity codes is critical. In Poland, correctly choosing PKD/activity codes for BNPL providers is part of licensing and subsequent inspections. In the EU we use NACE, but I always coordinate the wording with the local lawyer and the regulator to avoid discrepancies. For Cyprus and Estonia we assess transfer pricing and tax aspects in advance when registering in Cyprus/Estonia so that the chain of commissions and intercompany payments does not raise questions.
Documents for Cyprus and Estonia licenses
What documents are needed for a BNPL license in Cyprus and Estonia? The set is similar, but there are nuances:
- Incorporation documents, ownership structure, beneficiaries, group chart.
- Policies: AML/CFT, KYC and Due Diligence for BNPL, EDD for high-risk cases, sanctions and PEP screenings for BNPL providers.
- Assessment of BNPL customers’ creditworthiness: affordability methodologies, analysis of suitability and unsuitability for BNPL customers, decline procedures.
- IT and security: operational controls, SLAs, RTO, RPO for the BNPL platform, BCP/DR plans and tests.
- Product model: rules for customer disclosures and BNPL contract templates, regulations limiting hidden fees and transparency of payment schedules.
- Finance: business plan, requirements for capital reserves and financial resilience, stress tests.
- Reporting: how to build a roadmap for integration with credit registries, data quality control and compliance with reporting formats.
In Estonia the FI analyzes decisioning engines in detail, including automated decision-making systems (decisioning engines) for suitability. In Cyprus the regulator pays a lot of attention to governance and the role of independent directors. Our experience at COREDO has shown: a strong documented risk management model and a clear IT architecture speed up the dialogue and reduce the number of rounds of questions.
I — EU directive on credit for BNPL
- an assessment of creditworthiness based on sufficient data, not only the customer’s statements;
- transparency of pricing and a ban on hidden BNPL fees, clear APR equivalents where applicable;
- debt limits and BNPL consumer protection, the right of withdrawal and standardized pre-contractual forms;
- the transfer of data to credit registers and frequent reporting, including adverse events.
National exemptions and turnover thresholds for licensing exemptions exist, but I consider them a temporary solution. Exemption from licensing for small BNPL providers can help at the MVP stage, but scaling will inevitably require a full license and a review of processes.
FCA and TPR: financial promotion 2026
How to use TPR to minimize downtime when entering the UK? The scenario we applied: acquiring a company with an active TPR and simultaneously applying for our own authorization. Plus, market access with controlled risk; minus — thorough legal due diligence and systems integration. COREDO practice: parallel registration and TPR application during M&A reduced the client’s time-to-market by 6–8 months.
How will the FCA implement the unsuitability test from 2026? The draft rules focus on identifying groups of customers for whom a product is clearly unsuitable, even when affordability is positive. This includes age, social and behavioral markers, as well as patterns of ‘repeat missed payments’. FCA reporting requirements and the format of monthly summaries are another axis: detailed metrics on defaults, restructurings, vulnerable customers and the effectiveness of early intervention.
Rules on financial promotion for BNPL and liability for advertising will become stricter. I recommend implementing a two-tier review of promotional materials: legal and behavioral (fairness). This reduces the risk of claims for ‘misleading promotions’ and ensures a sustainable funnel.
Credit reporting: CRA and algorithms
Our team always includes integration with Credit Reference Agencies in the roadmap. Integration with Credit Reference Agencies and the transmission of BNPL transactional data to Credit Reference Agencies: a standard without which no regulator will give the “green light”. For the EU we use national bureaus and banking registers, in the UK: Experian, Equifax, TransUnion.
How to prepare unsuitability and affordability algorithms? I build a hybrid: rules (policy‑based) + ML scoring, where ML is explainable and auditable. Credit history checks and scoring of BNPL borrowers are not a “black box”: regulators expect clear “reasons codes” for refusals.
API integration with credit bureaus and monthly reporting require mature data quality. I define the data owner in advance, SLA for fixing errors, reconciliation procedures and automatic alerts for discrepancies. Data quality control and compliance with the reporting format save months of correspondence with the regulator.
AML/KYC in the product funnel
AML compliance for BNPL providers: it’s not just screening. Integrating AML KYC into the BNPL product funnel increases conversion if made intuitive.
- KYC and due diligence for BNPL with risk scanning and dynamic verification levels;
- enhanced due diligence (EDD) for elevated AML risks;
- sanctions and PEP screenings for BNPL providers with a triage process and manual verification;
- KYB procedures for partner merchants (merchants) and monitoring of their transactional activity.
The legal bases for the transfer of personal data and GDPR in BNPL are covered by a combination of legitimate interest, performance of the contract and regulatory obligations. The COREDO solution includes a DPIA matrix and registration of processing purposes so that GDPR questions do not slow down market entry.
Consumer protection and fair pricing
Regulators pay close attention to how you explain costs and risks to the customer. Pricing transparency and a ban on hidden BNPL fees, a clear payment schedule, automatic reminders: the basic minimum. I add monitoring for repeated delinquencies and early-intervention mechanisms: offering a “payment holiday”, reducing limits, personal contact.
Customer disclosure rules and BNPL contract templates should undergo legal and behavioral review. National competent authorities assess not only the content but also the format: readability, the presence of key facts on a single page, warnings about risks. Regulatory compliance works as a competitive advantage for scaling when these principles are built into the product.
Partnerships between Marketplaces and Merchants
BNPL solutions for marketplaces and partner networks provide rapid scale but entail contractual risks. Negotiating terms with partner marketplaces and contractual risks include questions of allocation of responsibility for KYC/KYB, returns, chargebacks and marketing commitments. I recommend a responsibility matrix and a single playbook for promo materials to avoid being fined because of someone else’s advertising.
KYB procedures for partner merchants and anti-fraud procedures protect the portfolio from suspicious sellers. Document verification and anti-fraud procedures, including behavioral biometrics analysis and device fingerprinting, significantly reduce fraud levels without loss of conversion.
Timing, budget and ROI
Timing for obtaining a BNPL license in key jurisdictions varies. In Estonia: 4–6 months with a fully prepared package, in Cyprus: 4–8 months depending on the structure. Case: registration of a legal entity in Cyprus and obtaining the license in 4 months was made possible thanks to early agreement on governance, the completeness of the IT dossier and a ready plan for integration with registries.
The estimated budget for obtaining a BNPL license (lawyer, compliance, capital) includes legal preparation, IT and risk-function audits, initial capital and 6–9 months of operational runway. The cost of compliance and payback periods depend on the distribution channel: marketplaces have lower CAC. How is licensing ROI calculated (examples 250%–300%)? We take the margin on the portfolio, discount cancellations/defaults, and subtract the full cost of compliance and reserves.
How to calculate the breakeven point after obtaining a license — a question about the share of active users, average basket size, take‑rate and cost of funding. I factor in stress scenarios and seasonality.
KPI metrics: repayment rate 99%, early repayments 40% as a benchmark are possible with proper segmentation and early intervention. Questions for the manager: which KPIs should be tracked when launching BNPL in the EU? Retention, NPL 30+/90+, DTI by segments, CAC/LTV, average number of active merchants, integration speed, onboarding SLA, share of “clean” auto-approvals.
Reducing legal and reputational risks
Legal risks of BNPL and potential fines for non‑compliance with the Consumer Credit Directive in the EU and FCA guidance in the UK are significant. Grounds for refusal to grant a BNPL licence and avenues for appeal include insufficient substance, weak governance, an opaque ownership structure, and a leaky IT‑perimeter. We prepare a remediation plan, as well as licence‑refusal scenarios and wind‑down/redemption plans to protect customers and partners in stress‑scenarios.
risk management of BNPL and debt‑burden stress‑tests are a mandatory part of the risk‑framework. Methodologies for calculating stress‑tests for an instalment portfolio take into account rising unemployment, inflation, conversion declines and tightening credit policy. Managing reputational risks as a BNPL portfolio grows requires transparent communication, compliant advertising and clear complaint handling.
Collection strategies and the management of collections agencies I build in a “human‑centric” logic supported by regulators. First, soft reminders and restructuring offers, then escalation according to a clear script that does not violate consumer rights.
Scaling from Asia to the EU and 5+ markets
Scaling BNPL from Asia to the EU: the practical steps are quite pragmatic. Legal due diligence when entering the EU, choosing a core jurisdiction (Estonia or Cyprus), assessing cross‑border feasibility, coordination with national regulators and a timeline of local notifications. Practical steps for scaling BNPL from Asia to 5+ EU countries include a pilot in 1–2 markets, then sequential onboarding of countries on a quarterly cycle.
Passporting restrictions after Brexit and alternatives in the UK, appointment of an Appointed Representative, acquisition of a licensed business or participation in sandboxes. Sandboxes and accelerated access regimes for fintech BNPL provide a chance to demonstrate the model on real data and fine‑tune reporting before full authorization. The influence of national competent authorities on the market entry strategy is obvious: timelines, inspection focuses and consumer protection priorities differ, and this must be accounted for in planning.
Internal control and audit
Organizing internal compliance audit for BNPL is a common practice for financial institutions. I establish an independent function that tests procedures, verifies reporting and checks IT controls. Outsourcing options for compliance and control risks exist, but I prefer a hybrid: a core of competencies in‑house, targeted external support.
Infrastructure requirements: IT security and operational resilience are an integral part of the dossier. Regulators expect RTO/RPO for critical systems, penetration tests, vulnerability management, access segmentation, logging and monitoring. Operational readiness and the launch of BNPL sales depend on the maturity of these processes no less than on marketing.
International benchmarking/self-regulation
International experience: NCCP/ASIC comparison and benchmarking show that Australia has already gone through a tightening of BNPL. I use this experience as an “early indicator” for Europe and the UK, especially regarding reporting to CRAs and limiting “dark pattern” practices in onboarding. Implementing an industry BNPL code and self‑regulation helps build trust with regulators and the market.
Scope of laws: the Consumer Credit Directive, national acts, FCA guidance – the basic triad without which policy cannot be built. I’ll add GDPR, PSD2, AMLD and local advertising laws. This is the minimum I include in the project’s legal map.
COREDO Case Studies and Results
COREDO’s BNPL licensing case studies show that discipline during the preparation phase solves half the challenges. COREDO case: the result — a launch in 5 countries in 6 months — was achieved by building a unified compliance framework, standard API integrations with registries, and contract templates for local adaptation. At the same time, we prepared reporting and trained partner merchants.
A separate project: a large-scale marketplace with a core in Cyprus and an auxiliary office in Prague. We structured the charter and PKD codes for BNPL, implemented open banking integrations, established an unsuitability test for BNPL and early intervention triggers. Result: a repayment rate of 99% and early repayments of 40% as a benchmark in reporting to the board of directors.
Another example — UK expansion through TPR. We prepared a parallel submission for registration and TPR alongside M&A, agreed the FCA reporting requirements and the format of monthly summaries, implemented BNPL financial promotion rules and independent marketing verification. Downtime between deal closing and the start of sales took only a few weeks.
How to obtain a BNPL license in the EU
I complete each project with a detailed roadmap. Schematically it looks like this:
- Model and jurisdiction diagnosis
– Regulation of BNPL in Europe: a map of requirements under CCD II and the UK.– “Quick win”: licensing buy now pay later in the EU via Estonia or Cyprus, assessment of cross‑border potential.
- corporate structure and substance
– Registration of a legal entity for BNPL in the EU, substance tests: local office, staff, economic activity.– Transfer pricing, tax model, independent directors.
- Policies, product and IT
– AML/KYC, EDD, sanctions/PEP, KYB of merchants.– Affordability, suitability and unsuitability test algorithms for BNPL; decisioning engines with explainability.– Open banking/PSD2, integration with CRA, reporting format.– Operational controls: SLA, RTO, RPO, BCP/DR plan.
- Submission and dialogue with the regulator
– Preparation of a presentation for the national regulator (NCA), demonstrating governance and risk.– Responses to inquiries, pilot reporting, adjustments.
- Operational readiness
– Team training, final “war‑games”, launch in the pilot market.– Scaling: sequential onboarding of countries, local notifications.
- UK‑track (if necessary)
– Analysis of availability of TPR and/or AR, parallel submission, preparation for FCA BNPL requirements 2026.– Financial promotion, reporting, marketing controls.
Customer FAQs: short answers
- BNPL licensing for fintech startups is possible with a minimal “skeleton” team, but the regulator will require real management and risk functions, not nominal ones.
- Minimizing risks when scaling BNPL requires a unified compliance architecture and ready-made integration modules for registries.
- How to prepare a presentation for the NCA? Include the business model, unit economics, governance, IT architecture, a stress-test plan, and a reporting map.
- National exemptions and turnover thresholds help you start, but they weaken your position when scaling — regulators see that.
- The consequences of a license refusal and blocked operations are painful. I always prepare a fallback plan and communications for clients and partners.
Comparison of regulators: what to look for
A comparison of CySEC, Estonia’s FI, and the KNF against BNPL requirements shows different emphases. FI delves more deeply into IT and algorithms; KNF focuses on behavioral practices and promotions; the Cypriot regulator emphasizes governance and substance. In the UK, the FCA pays particular attention to vulnerable customers, reporting, and promotional materials. Our experience suggests: readiness for any of these focal areas comes through a single roadmap, strong policies, explainable algorithms, and managed processes.
Why should investors act now?
The availability of market research (Statista forecasts) and an investment rationale are important in dialogue with the board of directors. Consumers are looking for convenient installment plans, and regulators are putting clear frameworks in place. The regulatory landscape is already visible: CCD II in the EU and upcoming FCA rules. Those who build compliance “baked into” the product now will capture the better economics tomorrow.
I often see how calculating the ROI of licensing BNPL changes the tone of the discussion. When a model includes a transparent cost of compliance, capital requirements, integration stacks, stress tests and wind-down scenarios, the decision stops being a risky bet. It becomes a manageable project with a clear payback horizon.
Conclusions
Successful BNPL in Europe and the United Kingdom: it’s a synergy of product, compliance and operational discipline. If you reduce the formula to its essence: a clear jurisdictional strategy, strong substance, explainable affordability/unsuitability algorithms, deep integrations with registries, and transparent communication with customers and partners. The COREDO team has implemented projects where this very formula made it possible to enter 5+ EU markets within six months and complete the UK track without downtime.