European regulators have radically changed their approach to card issuance. Where requirements used to be relatively flexible, they are now strict and relentless. The tightening affects everything: from customer verification procedures to technological security standards, from sanctions restrictions to tax regulation. And this is only the beginning.
Over nine years of work COREDO we have helped over 500 companies from Europe, Asia and the CIS successfully register payment services and obtain the necessary licences. Our experience has shown that success depends not only on knowledge of the law, but also on understanding how regulators interpret these requirements in practice. In this article I will share what every entrepreneur planning to work with card issuance in Europe needs to know.
Issuance of EU payment cards: who controls?
The European financial regulatory system is arranged like a matryoshka. At the top level are supranational bodies, the European Central Bank and the European Banking Authority. They set common rules and standards. At the middle level operate national central banks and financial regulators of each country. They adapt European requirements to local conditions and conduct supervision. At the lowest level are the companies themselves, which must comply with all these requirements at the same time.
COREDO’s practice confirms: companies often do not understand exactly who supervises them. For example, if you register a payment institution in Spain, you will be supervised by the Spanish regulator (Banco de España), but at the same time you must comply with the requirements of the EBA and the ECB. This means you are subject to three levels of regulation at once.
Role of the ECB, EBA and regulators in card issuance
The European Central Bank focuses on macroeconomic stability and monetary policy. But in the context of card issuance its role is critical: the ECB sets requirements for payment systems, defines security standards and monitors systemic risks. When the ECB issues a recommendation, it is not just advice — it is effectively a mandatory requirement for all market participants.
The European Banking Authority (EBA) is the body that develops technical standards for payment services. The EBA issues regular updates that define exactly how companies must implement PSD2 (Payment Services Directive 2) requirements. For example, the EBA determines which customer verification methods are considered sufficient, which technologies should be used to protect data, and how to organize monitoring of suspicious transactions.
National regulators are those who issue licenses and carry out on-site supervision. They have some freedom in interpreting European requirements, but they cannot ignore them. For example, the Spanish Banco de España may set higher capital requirements than the minimum established by the EBA, but it cannot set lower ones.
PSD2 and card issuance in 2025–2026
The main principle of PSD2 is openness and competition. The directive requires banks to open access to accounts to third parties (Open Banking), so that payment services are available not only to banks but also to specialized payment institutions, and so that customers have a choice among different service providers.
Third, Open Banking requirements. If a customer wants to connect your card to a payment aggregator service, you must provide an API for integration. This creates new opportunities but also new risks: you need to ensure that third parties meet security requirements.
COREDO’s practice has shown that many companies underestimate PSD2 requirements. They think that simply adding two-factor authentication is enough and that everything is fine. In reality, the requirements go much deeper. You need to review the entire system architecture, update processes, and train the team. We helped a Spanish company conduct a full compliance audit of PSD2, and it turned out they had more than 50 compliance gaps. After fixing these gaps the company not only avoided fines but also improved the user experience.
Sanctions restrictions and card issuance in 2025–2026
For card issuers this creates a difficult situation. If you issue cards that can be used for payments through sanctioned systems, you may be held liable. This is not just a fine; it may lead to license revocation and criminal prosecution of company executives.
The solution developed by the COREDO team: we created a sanctions monitoring system that integrates with payment systems. The system automatically checks every transaction against sanctions lists and blocks suspicious operations. This requires investment in technology, but it is necessary to comply with regulator requirements.
In addition, companies must regularly update their sanctions policies. You need to clearly define which countries and companies you do not serve, which payment systems you do not use, and how you screen customers for sanctions restrictions. All of this must be documented and reviewed regularly.
AML requirements for card issuance in 2025–2026
Regulators tightened requirements because money laundering volumes are increasing. According to the International Monetary Fund, between 2 and 5% of global GDP is laundered each year. That’s trillions of dollars. And payment systems often become a channel for these operations. Regulators decided this must change.
Updated AML and KYC standards in the EU for card issuance
Previously companies could use simplified verification for low-risk customers. Now all customers must undergo full verification. This means collecting not only passport details but also information about income sources, the company’s structure (if the customer is a legal entity), and beneficial owners.
For individuals the process looks like this: the customer uploads a copy of their passport, takes a selfie, and confirms their residential address. The system checks this data against databases (for example, against PEP lists, politically exposed persons). If the customer falls into a higher-risk category, additional verification is required.
For companies the process is much more complex. You need to collect incorporation documents, information about ownership structure, data on beneficial owners (Ultimate Beneficial Owners, UBO). You must check whether the company is connected to sanctioned countries or engaged in activities that could be linked to money laundering (for example, casinos, arms trading).
COREDO’s practice has shown that many companies underestimate the complexity of KYC for corporate clients. We helped a Lithuanian payment company develop a KYC process that includes 15 verification steps. It may seem like a lot, but it is necessary to meet regulatory requirements and to protect the company from risks.
Verification timelines have also tightened. Previously companies could complete verification within 10 days. Now verification is required within 2–5 days. This means investing in process automation. We recommend using digital identification systems (for example, eIDAS in the EU), which allow speeding up the verification process.
Reporting and monitoring of AML operations
What is considered suspicious? For example, if a customer suddenly starts making transactions totaling ten times more than usual. Or if a customer who lives in Europe makes payments to countries that are under sanctions. Or if a customer makes many small transactions that together add up to a large sum (this is called “structuring” and is a sign of money laundering).
Monitoring systems must automatically detect these patterns and generate alerts. Then a compliance specialist must analyze the alert and decide whether to file a Suspicious Activity Report (SAR) with the regulator.
Risks and management of issuing corporate cards in the EU
The main risk when issuing corporate cards is that the card may be used to finance terrorism or other illegal activities. For example, a company may be a front for money laundering. Or the card may be used to finance terrorist organizations.
To minimize these risks, companies must carry out enhanced verification for corporate clients. This includes checking the company’s ownership structure, verifying beneficial owners, screening against sanctions lists, and checking the company’s history.
In addition, companies should set limits on corporate card transactions. For example, a daily transaction amount limit, a limit on the number of transactions per day, and limits on transactions in certain countries.
COREDO’s practice has shown that companies that take risk management seriously gain an advantage. They avoid fines, they avoid account closures by banks, and they gain regulators’ trust. We helped a Spanish company develop a risk management system that includes automatic screening of all corporate clients. This led the company to identify several suspicious clients and avoid serious problems.
Registration of legal entities for card issuance in the EU
If you decided to launch a payment service with card issuance, the first question is: where to register the company? This is a critical decision that affects everything else: capital requirements, taxes, compliance requirements, and the ability to scale.
Selecting a jurisdiction to register a company for card issuance
There are several jurisdictions in the EU that specialize in payment services. Each has its own advantages and disadvantages.
- Spain: this is one of the most popular choices for startups. Capital requirements are relatively low (from €50 000 for a payment institution), the licensing process is relatively fast (3–6 months), and taxes are competitive. In addition, Spain has a well-developed ecosystem of payment companies, experienced consultants, and service providers.
- Lithuania: this is another popular choice. The Lithuanian regulator (Bank of Lithuania) is known for its progressive approach to regulation. Capital requirements are low, the licensing process is fast, and taxes are low. Lithuania is also known for its digital infrastructure and support for fintech companies.
- Luxembourg, this is a choice for companies that want to work with high-value assets. Capital requirements are high (from €1 million), but Luxembourg’s reputation as a financial center opens doors to attracting investments. Taxes in Luxembourg are also competitive thanks to tax incentives for financial companies.
- Cyprus: this is a choice for companies that want to work with clients from different regions. Cyprus has low capital requirements, a fast licensing process, and low taxes. In addition, Cyprus has good links with companies from Asia and the Middle East.
| Jurisdiction | Minimum capital | Licensing timeline | Tax rate | Compliance requirements | Best suited for |
|---|---|---|---|---|---|
| Spain | €50 000 | 3–6 months | 25% | Medium | Startups, scaling in the EU |
| Lithuania | €50 000 | 2–4 months | 15% | Medium | Startups, digital solutions |
| Luxembourg | €1 million | 6–12 months | 0.29% (with incentives) | High | Companies with high-value assets |
| Cyprus | €50 000 | 3–6 months | 0% (on profit from investments) | Medium | Companies serving Asia and the Middle East |
Licensing and authorization for card issuance
obtaining a license for card issuance: this is a long and complex process. It includes several stages and requires preparation of a large number of documents.
The first stage is choosing the type of license. In the EU there are two main types of licenses for payment services: Payment Institution License (лицензия платежного учреждения) and Electronic Money Institution License (лицензия учреждения электронных денег).
- Payment Institution License: issued to companies that provide money transfer services, payment processing, and issuance of payment instruments (including cards). This is the most common license for companies that want to issue cards.
- Electronic Money Institution License: issued to companies that issue electronic money (for example, prepaid cards). This license requires higher capital and stricter compliance requirements.
The third stage is submitting the application. The application is submitted through the regulator’s online portal. You need to fill out the form, upload documents, and pay the application fee (usually from €500 to €5 000).
The fourth stage is application review. The regulator checks the documents, may request additional information, and may hold a meeting with the company’s management. This stage can take from 2 to 12 months depending on the jurisdiction and the complexity of the application.
The fifth stage is receiving the license. If the regulator approves the application, the company receives the license. The license is issued for a specific period (usually 5 years) and can be renewed.
COREDO’s practice has shown that companies often underestimate the complexity of the licensing process. They think it’s enough to simply submit documents and wait for approval. In reality, you need to actively interact with the regulator, respond to requests, and provide additional information. We helped one Lithuanian company complete the licensing process in 3 months because we had prepared all documents in advance and actively engaged with the regulator.
Documents and the procedure for registering a legal entity
Before submitting an application for a license, you need to register the company. The registration process depends on the jurisdiction, but in general it looks like this:
In the EU the company registration process usually includes the following steps:
- Choosing the company name — ensure the name is unique and does not infringe third-party rights.
- Preparing incorporation documents: prepare the company’s articles of association, the decision to form the company, and information about directors and shareholders.
- opening a bank account — you need to open a bank account to deposit capital.
- Submitting documents to the company register — you need to file documents with the local company register (for example, in Spain this is the Registro Mercantil).
- Receiving the certificate of incorporation — after approval the company receives the certificate of incorporation.
Registration times vary from 3 to 7 days depending on the jurisdiction. After registration the company can apply for a payment institution license.
Technological requirements and safety standards for card issuance
Where technology used to be merely a tool for running a business, in 2025–2026 technology has become the foundation for regulatory compliance. Regulators now require companies to adopt specific technological standards and data protection methods.
Tokenization and contactless payments: what you need to know
Contactless payments are payments made without physical contact between the card and the terminal. This can be a payment via NFC (Near Field Communication), a payment via QR code, or a payment via a mobile app. Regulators require that all companies support contactless payments and that these payments be protected against fraud.
COREDO’s experience has shown that implementing tokenization and contactless payments requires significant investments in technology. Payment processing systems need to be updated, integration with payment networks (Visa, Mastercard) is required, and testing and certification must be carried out. But these are investments that pay off through reduced fraud and improved user experience.