Blog

Since 2016 I have been developing COREDO as a solutions platform for entrepreneurs who build international financial services, crypto projects, payment companies and holding structures. During this time the COREDO team has implemented dozens of projects in the EU, Singapore, Dubai, the United Kingdom, Estonia, Cyprus, the Czech Republic, Slovakia and Canada, as well as in a number of countries in Asia and the CIS. I have seen how the same mistakes slow down launches, and how a properly assembled roadmap saves months and hundreds of thousands. In this article I will collect the working practices and methodologies that we regularly apply, and answer key questions: company registration abroad, choosing a jurisdiction for fintech, licenses (including MSB for cryptocurrencies and payments), substance requirements, opening a business account in the EU, compliance and AML.

Jurisdiction and Structure Selection Matrix

A strong structure starts with the right jurisdiction. I always begin with a jurisdiction selection matrix in which we rank countries across six blocks: regulatory regime, cost and timelines, substance requirements, banking ecosystem, tax predictability, sanctions and reputational risks.

• Regulatory compliance in the EU: clear rules, possibility of passporting for EMIs/PSPs within the EEA, but high expectations for governance and AML.
• Asia (Singapore): strict but transparent MAS policy; suitable for forex/crypto with mature processes; strong ACRA requirements for disclosure of beneficial owners.
• Middle East (UAE): free zone company setup is suitable for growth and tax optimization through free zones; sandbox regulatory regimes help quickly test fintech models.
• United Kingdom and Estonia: a digital ecosystem, fast launch, developed e-residency and digital banking in Estonia; banks meanwhile closely verify proof of address and substance.

I always recommend not skimping on designing the holding structure for asset protection. A holding structure for asset protection may include a European holding company, operating companies in the EU/UAE, and a separate trust for IP. Hybrid structures: Dubai + Poland often provide a balance of tax burden, access to talent and payment infrastructure (in Poland we take into account Poland’s PKD codes for activity classification and NPI/SPI payment schemes).

Registering a company abroad

Preparing corporate documents for the license and the registration itself: not just collecting certificates. Our experience at COREDO has shown: a clear description of the model, NACE codes for the EU, SIC codes for the UK and PKD codes — are part of the risk assessment for the bank and the regulator. An incorrectly chosen code makes the case «high-risk» in the eyes of compliance. I insist on early alignment: business model → activity codes → licenses → banking profile.

Substance requirements for companies have become the standard. To prove substance, banks and regulators expect:

• office (lease/contract, photos, floor plan),
• employees on the payroll with relevant functions,
• local director (if required by law),
• existing contracts with clients/suppliers,
• local accountant and audit (if applicable),
• a substance plan for 12–24 months.

Account opening and due diligence

Opening a business account in the EU is not about “filling out a form”. Banks expect a full due diligence checklist: constitutional documents, UBO structure, a business plan for licensing/operational model, evidence of substance, AML/KYC policies, proof of address, contracts with key counterparties. I prepare the client in advance for typical bank requests and for preparing responses: startup costs, sources of funds, turnover forecasts, payment geography, sanctions risks.

• weak KYC/CDD policy,
• risk appetite incompatible with client geography,
• inconsistent UBO and CRS/FATCA documents,
• insufficient substance and an unconvincing legal opinion for bank due diligence.

Licensing of money services businesses, virtual asset service providers, payment institutions and foreign exchange providers

Authorization to operate: the central element of your strategy. A solution developed at COREDO for fintech‑companies covers roadmaps and preliminary assessments.

When and how MSB outside the EU and FINTRAC

MSB outside the EU is a practical option for crypto exchanges, payment operators and remitters. How to obtain an MSB in Canada? The Canadian model is FINTRAC MSB registration in Canada, not the classic “license”. MSB FINTRAC requirements include:

• definition of service types: money transferring, dealing in virtual currency (MSB for cryptocurrencies),
• appointment of a compliance officer/MLRO,
• KYC/CDD and enhanced due diligence (EDD) for high‑risk clients,
• AML/CTF policy, risk assessment, training, independent review,
• SAR and threshold reports of suspicious transactions (threshold reporting),
• customer due diligence records retention policy.

Canadian MSB procedural compliance usually takes 3–4 months (MSB registration timeline 3-4 months) with ready policies and IT‑controls. Timing and cost of obtaining an MSB depend on product complexity and geography. I recommend conducting an MSB licensing ROI assessment before launch: a cost‑benefit analysis of licensing and an economic model help understand payback (MSB license ROI: payback calculation) taking into account banking fees, IT integrations and team requirements.

VASP in Estonia: crypto‑AML

VASP in Estonia: this is registration/Licensing of virtual asset service providers with enhanced requirements after the reforms. VASP registration process and requirements include:

• local office and board, real substance,
• minimum authorized capital (depending on the model: exchange/custody),
• appointment of MLRO and compliance officer, approved KYC and KYT (Know Your Transaction) policies,
• AML monitoring for crypto-to-fiat flows and transaction monitoring systems (transaction monitoring),
• independent compliance audit and regular reporting.

Payment licenses in the EU and the UK

Obtaining a payment license in Lithuania (Lithuania payment institution regime and requirements): a popular route for PI/EMI: clear capital requirements for payment institutions, a regulator open to innovation and the possibility of passporting across the EEA (passporting vs local licence: when it is advantageous). In Cyprus CySEC oversees forex/CFD (CySEC forex), while the Central Bank of Cyprus decides on PI/EMI; the combination is useful if you are building a brokerage and payments stack.

The UK is traditionally strong in PSP, but banks are stricter about cross‑border payments. I include proof of address and a substance plan in the roadmap, as well as cross‑border payments flows and AML requirements for correspondent banking relationships and their limitation.

Singapore MAS license for forex and crypto

Singapore is a compliance benchmark. The MAS license for forex and crypto requires well‑thought governance, IT‑controls and risk management. Singapore MAS licensing timeline and requirements depend on the license class: for DPT (crypto) and e‑money — a longer fit‑and‑proper check; for capital markets services — a focus on operational risks. ACRA requirements for beneficiary disclosure and a strict reporting culture set a high bar, but allow building a business for Asia with a strong reputation.

Banking licenses: capital adequacy

If your goal is a bank or a large EMI, I discuss Basel III and the calculation of capital adequacy. Capital adequacy under Basel III for banks: the foundation that determines risk‑weights of assets and capital buffers. The timeline for submitting to the CNB for a banking license (Czech National Bank) is usually 12–18+ months. For EMIs and PSPs: separate requirements for capital and internal controls, including liquidity stress tests, the ICAAP/ILAAP procedure and an independent internal audit.

How to build a working AML/CTF program

Compliance and AML for MSBs, PSPs and VASPs are not a set of documents but an operating system. I build the program around FATF recommendations, EU directives and local rules.

• KYC/CDD policies compliant with FATF: risk-based approach, customer segmentation, triggers for EDD.
• Transaction monitoring for payment services: scenarios, thresholds, behavioral patterns; AML risk scoring model for PSPs.
• SAR/STR, transaction limits, CTR and threshold reporting: alignment with local laws (for example, 10,000 as an operational threshold in some jurisdictions).
• Whistleblowing compliance and internal procedures: protected channels, investigations, lessons learned.
• The role of the MLRO and compliance control functions: independence, access to the board of directors, regular reports.
• Compliance program maturity model for ranking: from «ad‑hoc» to «optimized», with KPIs and an improvement roadmap.
• Customer due diligence records retention policy: retention periods and reliability of registers.
• Integration of AML monitoring with payment rails: core events of the payment platform, sanctions APIs, geolocation and device fingerprinting.

The COREDO team implemented AML SaaS solutions and RegTech integrations for companies with intensive P2P and merchant payment flows. As a result, the false-positive rate decreased, alert handling sped up, and regulatory inspections became predictable.

Sanctions, tax and corporate requirements

Assessment of sanctions risks during registration, a mandatory section. I use a jurisdictional risk assessment matrix to choose a jurisdiction and a sanctions risk matrix when working with clients: we cross-check OFAC, EU, UN lists, as well as media risks. Managing sanctions restrictions in international operations includes regular updates of lists, backtesting of transaction samples, and training.

CRS information exchange between tax jurisdictions and FATCA reporting requirements – a standard for banks and EMIs. I verify compliance with the UBO structure: transparency of the beneficial owner and the beneficiaries register, ACRA/EU disclosure, EU Directive 2017/1132 requirements for articles of association (objectives, capital, governing bodies).

COREDO Case Studies

• Canada, MSB for cryptocurrencies. The client planned OTC exchange and payments. We prepared an AML/CTF program, implemented KYT and transaction monitoring, appointed an MLRO, and completed FINTRAC registration of the MSB in Canada. Registration took 3.5 months, the bank approved the account after a legal opinion and a demonstration of case management for SAR. The project reached a positive ROI after 8 months.
• Estonia, VASP and a holding structure. The regulator required enhanced substance: office, board of directors, audit. The COREDO team developed a substance plan, completed e‑residency and digital banking in Estonia as an auxiliary tool, and connected a Swiss account for the holding. The regulatory audit was passed without adjustments.
• Hybrid structures: Dubai + Poland. We linked an operating company in a free zone with a Polish PSP under an NPI/SPI scheme. We set up tax optimization through free zones, provided AML consulting for international business and preparation for bank due diligence in the EU. We opened an account at Emirates NBD for opex and at a European bank for EU clients.
• Cyprus and Lithuania: forex and payments. For a broker we obtained a CySEC forex (CIF) and simultaneously initiated licensing in Lithuania under the payment institution regime. We segmented risks by separating investment services and payments. The combination provided flexibility for EU passporting and local sales.

Licensing timelines and roadmap

I do not start a project without a roadmap for obtaining a financial license. It outlines the stages:

1. Diagnosis and business model: NACE/SIC/PKD, license assessment, jurisdictional risk assessment.
2. Structure and substance: office, staff, hiring plan, local director.
3. AML/CTF: KYC/CDD/EDD, SAR/CTR, sanctions screening, training.
4. IT and integrations: AML SaaS, transaction monitoring, case management, reporting.
5. Documents: compliance policy, business plan, financial model, contracts, proof of address.
6. Submission and communication with the regulator, responses to requests.
7. Banking setup, legal opinion, account opening.
8. Post-licensing monitoring and periodic audits.

COREDO applies practical COREDO checklists to launch within 2–3 months where permissible (for example, preparation of documents and compliance before formal submission), to accelerate the initial stages.

Banking and regulatory due diligence

Preparation for banking due diligence: it’s about logic and sequence. I coordinate:

• legal and tax due diligence before registration,
• assessment of CRS/FATCA statuses for all UBOs,
• plan for account openings (EU/Switzerland/UAE),
• exit strategies and restructuring after a refusal (if the risk is high).

The solution developed at COREDO includes templates for responses to banks, risk narratives, a request matrix and a set of evidence of substance. For correspondent banks, we predefine permitted geographies and MCC codes, set transaction limits and specify the process for stopping suspicious transactions.

Post-licensing support

A license is a start, not a finish. Ongoing compliance advisory and fixed-fee support keep the program up to date. Post-licensing monitoring and periodic audits include:

• internal audit, regulatory audit and preparation for inspections,
• updating KYC/CDD and EDD procedures,
• integration of whistleblowing and internal investigative practice,
• refresh of sanctions lists and AML program KPIs,
• updating capital requirements for payment institutions and reporting.

Brief checklists and best practices

• Before registration:
  • Compare the business model against NACE/SIC/PKD.
  • Create a jurisdictional risk assessment matrix and a sanctions matrix.
  • Prepare a business plan, financial model, proof of address, and substance plan.
• For licensing:
  • Collect KYC/CDD/EDD policies, AML/CTF per FATF, SAR/CTR, and retention records.
  • Appoint an MLRO and a compliance officer with relevant experience.
  • Set up transaction monitoring, KYT, sanctions screening, and case management.
• For banks:
  • Obtain a legal opinion; verify the UBO structure for CRS/FATCA.
  • Prepare responses to standard queries and sources of funds.
  • Choose a bank according to geography and risk appetite, and provide for a backup account.
• For crypto/fintech:
  • Check VASP requirements and the MTF framework (if there is an asset market).
  • Ensure crypto AML controls and an independent audit.
  • Calculate the ROI of an MSB license and compare it with alternatives in the EU/Asia.

What Really Works

If you are building an MSB for cryptocurrencies, planning a VASP in Estonia, aiming to obtain a payment license in the EU or a MAS license in Singapore: you are already on the right track when you look at requirements holistically: from NACE/SIC/PKD to AML SaaS and Basel III. The COREDO team prepares not a “folder of documents”, but an operating system of compliance and banking relationships that withstands growth.

Conclusions

If you need a practical plan – from a jurisdiction-selection matrix to a regulatory audit and account openings, give us the context of your model. I will involve COREDO experts on licensing, AML and banking due diligence, and we will assemble a roadmap that will lead to a license and a sustainable operating model.

I see every day how even strong crypto companies and fintech projects face not so much technical challenges as banking and regulatory ones. The main choke points are correspondent banking, settlements and account freezes caused by insufficiently developed AML and weak “substance”. Over ten years my team and I at COREDO have gone through dozens of licensing processes, hundreds of legal-entity registrations in the EU, Asia and the Middle East, and numerous account-unblocking procedures. Below is a structured guide to the issues that most often lead to payment bottlenecks, and to the solutions that actually work.

Crypto business and correspondent banking

Crypto business and correspondent banking are directly linked today. If a correspondent bank detects an abnormal transaction velocity in your flows or “dirty” sources of funds, it will block the transfer before it is credited. Correspondent banks and crypto are an area of heightened scrutiny: SWIFT filtering and sanctions screening are in effect, and threshold rules and correspondent risk assessment models are applied.

Choice of jurisdiction and company registration

Geography matters, but details decide: the required license, substance requirements, access to EMI and correspondent accounts, as well as local FIU and regulator support in dialogue with the bank. Below are the main areas where the COREDO team has implemented sustainable launch models.

EU: VASP/CASP/EMI and PKD codes

In the EU, crypto companies often find the best starting conditions in Lithuania and Estonia. VASP registration in Estonia today requires strengthened capital, designated AML officers and an internal auditor, as well as a precise description of Travel Rule procedures. The timeframe for document preparation and FIU review usually takes 2–4 months if KYC/E‑KYC and EDD on beneficiaries are set up in advance.

MPS/PSA in the UK and Singapore

In the UK the FCA’s regulatory requirements for crypto and payments are quite detailed, and a bank’s willingness to engage heavily depends on the transparency of UBO disclosure and the quality of the AML policy. Singapore sets a high bar on substance requirements: a local director, office, staff, and genuine operational activity. For MPS/payment licenses under MAS requirements, detailed AML/CTF procedures, IP/geo-analysis of counterparties and integration of an AML Rule Engine are critical.

DFSA and DMCC in Dubai: nuances

Dubai via DFSA and DMCC offers flexibility but requires discipline. DFSA and DMCC in Dubai look at the Travel Rule, sanctions screening, and the separation of fiat/crypto flows when transferring via SWIFT and local clearing.

EMI, forex, payment and crypto licenses

A license is not just a piece of paper, it is the language of communication with the bank and the correspondent. For EMIs, capital, governance and access to correspondent accounts via sponsorship arrangements are important. For forex providers and CASPs, EDD on beneficiaries, a KYC archive and storage of transaction metadata, as well as threshold monitoring, are critical.

Our approach at COREDO is to start with the business architecture: product map, client jurisdictions, currency of turnover, plan for correspondent relationships. When Licensing is backed by an operating model, the bank issues limits faster and is less likely to trigger SWIFT filtering with manual review.

Correspondent banks and crypto: risks

Correspondent risk (correspondent banking risk) – is a combination of jurisdiction, client profile, sanction exposures and data quality. The bank takes into account OFAC sanction lists, EU/UK lists, as well as your response to sanction updates and watchlists. If the profile includes P2P operations, OTC desks and mixers, the risk score increases instantly.

AML for crypto business: from Travel Rule to EDD

A strong AML is not a summary of rules, but a working pipeline. Here the Travel Rule and the FATF requirements, EDD configuration, continuous sanctions screening and transaction checks via blockchain analytics are important. Integration of Chainalysis and other blockchain‑forensic tools is already the standard, not an option.

The solution developed at COREDO provides an AML‑Rule Engine with transactional rules for velocity, structuring/smurfing patterns, geo‑behavior and ‘freshness’ metrics of funds. Such an engine logs events to SIEM, generates reports for the FIU and reduces manual alarm handling.

FATF Requirements and the Travel Rule

VASP compliance in the EU and Asia

In the EU, supervision is moving toward MiCA/CASP, with increased requirements for capital, reporting and risk management. In Asia there is a stronger emphasis on the technical side of monitoring and IP/geo‑controls.

Peer-to-peer Cryptocurrency Exchange Risk Control

P2P crypto exchange and risks is a topic where banks closely scrutinize escrow models, order allocation, turnover speed and sources of liquidity. In P2P there are sanction and entity risks, as well as an increased risk of payment structuring. The best AML practices for P2P exchangers in the EU include separate wallets for different classes of counterparties and separate fiat accounts for each on‑ramp channel.

Account blocks: causes and mechanisms

The primary reasons for account blocks of crypto companies in the EU and Asia are lack of or vague AML policies, Travel Rule gaps, insufficient beneficiary documentation, and sharp spikes in transaction velocity. The use of privacy coins without compensating control procedures and suspicious links to mixers also trigger blocks.

Proof of Legality: KYC/E‑KYC

How to prove the legality of fiat inflows into a crypto company? We collect a chain: contracts, invoices, bank statements, tax returns, smart contracts and on‑chain evidence. Integration with Chainalysis for proof of legality routes addresses with “green” tags, shows a risk score and isolates toxic segments.

Confirm Substance and retain accounts

Substance is not a mailing address, but an ongoing operational presence: staff, office, contracts, reports, local taxes. Substance requirements in Singapore require a local director, an office lease and a clear hiring plan. In the EU and in Cyprus substance requirements also include a genuine managerial function and local payment arrangements.

Opening and maintenance of accounts: banks, EMI

EMIs and access to correspondent accounts are a combination that banks assess through the lens of risk management and client profile. It is more appropriate to arrange several EMIs and one or two banks, using SWIFT‑GPI for transparency and separate Nostro/Vostro arrangements for different currencies. This provides resilience and manageable limits.

Compliance technologies: Rule Engine, SIEM

Modern AML is built around the integration of AML‑Rule Engines, SIEM and API integrations for blockchain analytics. Sanctions screening operates through a multi-stage workflow: pre‑screening, on‑screening, post‑event review and escalation to case management. In effect, it is a compliance factory where every event is logged and can be presented to the FIU.

Scaling without limits

Scaling a P2P‑platform without increasing correspondent limits can be achieved through segregated flows, local clearing systems and alternative rails. Alternatives to correspondent relationships for international fiat transfers include a sponsored payments model via a large EMI, local schemes (SEPA Instant, Faster Payments), as well as regulated on/off‑ramps with stablecoins, if compliance permits.

COREDO Case Studies – practical stories

– Estonia, VASP registration. The client came with a ready product but without a Travel Rule and with “high-risk” beneficiaries. The COREDO team implemented EDD packages, integrated a Travel Rule provider and built a KYC archive. Registration took 11 weeks, the bank opened an account with a base limit, which was doubled after three months with consistently “clean” flows.

– Cyprus, EMI license. The client needed access to SEPA and correspondents for multiple currencies. We prepared a business plan, a risk framework, sanctions screening workflow and proof of funds for the capital. Through a sponsor bank the client obtained Nostro/Vostro agreements and GPI trackers, and also increased limits after the first quarter without incidents.

Compliance ROI and outsourcing

Outsourcing compliance for crypto often pays back within 3–6 months thanks to reduced downtime and losses due to blocks. ROI metrics for blocks include Loss of Revenue, Downtime, Cost of Funds and an increase in CAC due to frictions on the on‑ramp.

Answers to clients’ frequently asked questions

• What do banks pay attention to when assessing a crypto company as a client? The bank evaluates UBO disclosure, EDD‑packages, implementation of the Travel Rule, sanctions screening and segregation of flows. Substance and the quality of proof of business are important, as well as readiness for FIU interaction, including timely SAR/STR.
• In which jurisdictions is the risk of correspondent account blocks lower? Where there is a clear regulatory regime (EU, United Kingdom, Singapore, Cyprus, Dubai) and real substance. Jurisdiction: half the success, the other half: the actual AML model and predictability of flows.
• How to properly structure correspondent relationships when working with crypto flows? Start with a hybrid EMI+bank model, agree on limits and types of counterparties, document the Rule Engine and blockchain monitoring. Regularly share reports with the bank and do not mix P2P with corporate flows.
• What documents does the bank request in case of suspicious activity and how many should be prepared in advance? They usually request proof of funds, KYC/E‑KYC logs, contracts, invoices, tax documents and a Chainalysis report. Prepare a “box” in advance, update it quarterly and retain transaction metadata for at least the required period.
• How long does VASP registration in Estonia take? On average 8–12 weeks to prepare the package and 60–90 days for FIU review if there are no revisions. With quality pre‑screening of beneficiaries, the risk of delays is significantly lower.
• How to reduce correspondent risk with P2P and avoid SWIFT filtering? Separate fiat and crypto flows, configure sanctions screening and the Travel Rule, limit velocity and volumes per client. Agree with the bank on lists of allowed counterparties and route payments via GPI with transparent remittances.
• How much do FATCA/CRS affect opening accounts for crypto businesses? They have a significant impact, as tax reporting data forms part of the risk profile. It’s important to correctly and timely submit CRS/FATCA reports, avoiding discrepancies with bank questionnaires.
• Which banks are tightening checks for OFAC and sanctions? This is a trend among all banks with access to dollar liquidity and large correspondents like Deutsche Bank, MUFG and Citi. Therefore, sanctions screening and watchlist updates must operate without delays.
• Which licenses are suitable for scaling P2P? In the EU, CASP with a strong AML function, in Cyprus, CASP/EMI depending on the model, in Singapore, MPS/PSA with extended on‑ramps. The key: proper separation of flow risk segments and clear governance.

Checklists: documents, policies and steps

• Proof of funds and an evidence‑package for the bank. Gather contracts, invoices, statements, tax returns, and on‑chain reports. Supplement with KYC/E‑KYC logs, IP/geo analytics, a counterparty profile, and a fund‑routing map.
• Preparation of a business‑plan and AML policy for an EMI/Payment license. Describe the product map, customer segments, geography, and flow projections. Attach the AML policy with a Rule Engine, sanctions screening workflow, Travel Rule implementation, and an EDD plan.
• Due diligence of beneficial owners for the bank. Prepare UBO disclosure, biographies, source of wealth, and supporting documents. Conduct an independent media search, political exposure checks, and sanctions screening with findings.
• How to organize substance in Singapore to retain accounts. Sign a lease agreement, hire a local director and key staff. Maintain local accounting, document operational processes, and regularly confirm business activity.
• Which PKD codes to specify to minimize blocks. Analyze the code’s conformity with the declared services and the bank profile. Exclude “grey” formulations and reflect specific crypto operations in the classifier’s language.
• How to integrate blockchain monitoring into the AML policy. Describe data sources, threshold values, actions on alerts, and metadata storage. Include API integrations, white/blacklisting procedures, and case escalation to the FIU.
• What to do when you receive a letter about suspension of operations. Immediately acknowledge receipt, request the list of requirements and deadlines. Compile an expanded evidence package and propose a corrective action plan with deadlines.

Partnership with COREDO

Crypto business and correspondent banking are not about luck but about process architecture and data accuracy. When AML‑policy, the Travel Rule, sanctions screening, substance and the evidentiary base are combined into a single system, account blocks become rare exceptions and scaling turns into a manageable routine. The COREDO team has implemented dozens of such systems in the EU, Asia and the Middle East, and I see how mature compliance increases business valuation.

I have been leading COREDO since 2016 and every quarter I see the same thing: companies that treat the fight against money laundering (AML) as “a checkbox for the regulator” end up paying a high price for it — from account freezes and halted operations to prolonged inspections and the loss of partners. AML compliance works as an asset when it is embedded in a growth strategy, rather than living in a separate file on a server. When the COREDO team implements AML processes taking into account the specifics of the jurisdiction, business models and IT architecture, clients receive not only licenses and peace of mind during inspections, but measurable efficiency — reduced false positives, faster onboarding and a better ROI on investments in AML technologies.

Regulatory guidelines are clear: recommendations of FATF, EU directives AMLD5/AMLD6, EBA guidance, principles of the Wolfsberg Group. But a dry list of requirements rarely leads to a working system. The solution developed at COREDO always relies on a risk-based approach (RBA), a clear Risk Appetite Statement and transparent AML team KPIs. I call this “operational compliance”: not only do we comply, but we also bring value to the business.

RBA in AML compliance

RBA mistakes and how to avoid them

• Mixing product and customer risks into a single scoring. I separate these dimensions; otherwise we lose transparency and explainability.
• Lack of a Risk Appetite Statement for AML. Without it, escalation and investigations become chaotic.
• Universal rules that don’t consider the National Risk Assessment (NRA) of operating jurisdictions. The COREDO team always calibrates rules to the specific country and sector.
• Underestimating false negative risk. We include stress tests and red-teaming to uncover blind spots.
• Errors in customer risk scoring algorithms. Validation and periodic review of factor weights address this issue.

Mistakes in developing AML policies

Each of these mistakes regularly occurs in real projects, and each can be fixed with a simple but disciplined approach.

1. Mistakes in developing AML policies not tied to operational reality. The policy describes an ideal, but procedures and systems do not support it. I ensure full alignment: “policy: procedure: control, data”.
2. Typical KYC mistakes in a client’s policy. Insufficient verification of documentary evidence, lack of dynamic data updates, ignoring LEI. We connect reliable data sources and set update frequency according to risk level.
3. Shortcomings in the policy for identifying beneficial owners (Beneficial ownership). Errors arise when using only registries. I add a cascading approach: corporate trees, independent sources, verification of indirect control.
4. Errors in screening PEPs and sanctions lists. Incomplete sources, infrequent updates, narrow matching algorithms. At COREDO we build multi‑source screening, take into account Sanctions lists update frequency and flexibly configure fuzzy matching.
5. Errors when configuring transaction monitoring. Universal thresholds lead to an avalanche of False positives, while excessive filtering leads to missing suspicious schemes. I apply alert tuning, analysis of the economic efficiency of rules and Explainable AI.
6. How to set up SAR/STR procedures without errors. Clear escalation criteria, deadlines, roles, Case management and quality control. We build standard templates and train analysts to work with FIU.
7. Mistakes in the risk appetite statement for AML. Uncertainty creates delays and paralysis in decision-making. I document the principles and threshold values at the board level.
8. Insufficient customer segmentation in CDD as an error. One size does not fit all. In COREDO projects segmentation is based on behavior, geography, product and channel.
9. The impact of shortcomings in data recording and storage on STR investigations. Without a quality Retention policy and Audit trail, investigations stall. We implement Data quality and MDM practices.
10. Why an independent AML audit is mandatory. An external view reveals model drift, process conflicts and weak spots in Governance. I schedule an audit annually and after major changes.

Implementing an AML policy in the company

My principle is simple: I don’t implement a policy until I see how it “works through” the system from onboarding to the report to the FIU. Each role understands its tasks, and integrations and access rights are exercised on test scenarios.

ERP/CRM implementation roadmap

• Audit of current systems, data catalog, API integration map, assessment of real-time monitoring vs batch processing.
• Setting up Role‑based access control and Segregation of duties to eliminate conflicts of duties.
• Integration of KYC services and sanctions providers with ERP/CRM and the front office.
• Testing end-to-end scenarios: onboarding, data updates, escalation, SAR/STR.
• Documentation, version control, training, and go-live with metrics for alert disposition.

TMS configuration: rules and results

SAR/STR: Case management and escalation

KYC, CDD and EDD: depth and control

KYC – it is not a form, but a process. It begins with proper segmentation, continues with collecting Documentary evidence and ends with the continuous updating of the client’s profile. CDD: the basic level of verification, EDD – enhanced for high-risk clients and complex structures.

Client risk segmentation

Insufficient client segmentation in the CDD methodology leads to unjustified workload and gaps. I apply a Customer risk rating that takes into account the industry, country, product, channel, counterparty type, PEP status and sanctions risks.

Beneficial owners, LEI and evidence

Identifying beneficial owners: an area where mistakes are often made. I use a multi-layered methodology: registries, corporate trees, contractual links and signs of indirect influence. LEI speeds up legal entity verification and facilitates matching. For CDD/EDD it is important to accumulate Documentary evidence with clear controls on timeliness and sources.

Depth of PEP and sanctions screening

PEP screening and Sanctions screening require up-to-date sources and flexible algorithms. We set the Sanctions lists update frequency, use multiple data providers and configure fuzzy matching with control of False negative risk.

GDPR and cross-border data transfers

Without a data culture, AML processes lose effectiveness. I start with data quality and master data management: consolidation of reference data, field quality control, automatic validators, unified identifiers. Audit trail records all actions, and the retention policy accounts for retention periods by jurisdiction and processing purpose.

GDPR: security and access

For cross-border data transfers I assess legal bases, standard contractual clauses and local restrictions. Cloud-based AML solutions provide flexibility if RBAC, encryption and monitoring are configured correctly.

Role of the board in governance

Governance and oversight shape the compliance culture. I ensure board engagement: approval of the Risk Appetite Statement, review of KRIs and KPIs, AML officer reports and a development plan.

AML officer independence and training

Third-party management

Outsourcing AML functions helps to scale, but typical mistakes when outsourcing AML functions include: unclear SLAs, lack of quality control and a weak data access model. I build Third‑party risk management and vendor due diligence: provider assessment, test assignments, KPIs, sample case audits, and a contingency plan.

Preparation for FIU and regulator inspections

Why an independent AML audit is mandatory and what to avoid? An external assessment will reveal gaps the internal team doesn’t notice because of a “jaded” view. I use Realistic testing and red‑teaming of AML policies to ensure scenarios actually catch risk typologies.

Preparation for an FIU and regulator inspection

AML Technologies and Effectiveness

The business expects measurable results. Therefore, I build KPIs and performance metrics for the AML team:

• Alert disposition metrics: false positive rate, average processing time, escalation rate, confirmed case rate, share of SARs/STRs.
• Backlog remediation: a plan to reduce backlog and keep it within SLA.
• Cost‑benefit analysis for AML solutions: cost per alert, cost per SAR, cost-effectiveness of monitoring rules and models.
• KRI: percentage of high-risk customers, percentage of customers with EDD, sanctions match rate.

Crypto AML and VASP specifics

For providers of virtual assets the Travel Rule, on‑chain analytics and integration of address risks into the TMS are important. Common mistakes in virtual asset service provider (VASP) policies include ignoring mixer chains, weak counterparty due diligence and lack of procedures for high‑risk jurisdictions. We implement real‑time monitoring, sources of address and route risk assessments, and STR procedures for higher‑risk transactions.

• insufficient training dataset,
• lack of model validation and drift monitoring.

The COREDO team sets the MLOps standard for AML: data versioning, result replication, Explainable AI and regular retraining.

COREDO cases in the EU, Asia and the CIS

• EMI‑license in the EU and TMS integration. A client with a product in the Czech Republic and Slovakia was preparing for licensing in one of the EU countries. The COREDO team implemented RBA, Risk Appetite Statement, deployed a TMS with contextual features and Explainable AI. Result: a 42% reduction in False positives, shortening corporate client onboarding from 7 to 3 days, and a successful regulatory review without findings.
• payment license in Singapore. For the payment services license under MAS we created an AML policy and procedures, taking into account local requirements and the GDPR for cross-border data transfers. The solution developed by COREDO included RBAC, case management and strict SLAs. Outcome: the regulator noted the maturity of governance and the quality of escalations.
• VASP‑project in Estonia with Travel Rule. A client from the EU was planning expansion to Dubai. We established Crypto AML and Travel Rule processes, conducted vendor due diligence for providers of address risk, set up an independent audit and a Regulatory change management plan. Result: flawless STR filing and a successful product launch in several jurisdictions.

How to remediate AML violations

When the FIU or a regulator points out deficiencies, it’s important to respond quickly and in a structured way.

Our experience at COREDO has shown that an effective roadmap consists of the following stages:

1. Gap assessment and prioritization by risk and business impact.
2. Quick «wins» (quick wins): policy updates, alert tuning, eliminating bottlenecks in SAR/STR.
3. Strategic changes: review of RBA, update of the Risk Appetite Statement, implementation of KPI/KRI at the board level.
4. Data & tech: improving data quality, Model validation, drift monitoring, tuning Explainable AI.
5. Governance: strengthening the role of the AML officer, updating documentation and version control, a plan for an independent audit.
6. Backlog remediation and monitoring the sustainability of changes.

How COREDO supports businesses

When we launch projects, I look beyond just AML compliance. Legal entity registration in the EU, Czech Republic, Slovakia, Cyprus and Estonia, support in the United Kingdom, Singapore and Dubai, is the foundation. Obtaining financial licenses (crypto, payment, forex, banking) requires consistent policies and a mature operating model. The COREDO team builds the entire chain: from corporate structure to AML processes, integrations, training and independent audit.

AML as a competitive advantage

A good AML policy works like navigation: it shows routes, warns about risks and helps you move faster. AML compliance delivers business results when it relies on a mature RBA, a clear Risk Appetite Statement, high-quality data and technological discipline. I see client teams start making decisions faster, reduce false positives, ease the burden on the front office and strengthen relationships with banks and regulators.

COREDO builds exactly such a system: practical, measurable and scalable. If you are planning to register a company in the EU, Asia or CIS countries, preparing to obtain a financial license or want to strengthen the fight against money laundering (AML), draw on experience. My team has already solved similar tasks in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai. We speak the language of both business and regulators and turn requirements into working processes – with transparent KPIs, reliable governance and a sustainable ROI.

Since 2016 I have been building COREDO as a platform where entrepreneurs receive not just company registration abroad and access to banking, but a resilient architecture of payment flows and compliance processes that withstand regulatory audits and business growth. Over these years the COREDO team has implemented projects in the EU, the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai, as well as in a number of CIS countries, and I have a clear understanding of the pain points of high-risk segments: from de-banking and account freezes to fragmented AML and licensing requirements. This article is my condensed experience and a working methodology that we apply daily in payment organizations, fintech, crypto (VASP), forex, e-commerce and related verticals.

My goal is to provide practical support: how to structure registration solutions and obtain licenses, how to build control over payment flows and reduce AML risks in high-risk businesses, how to implement compliance programs for high-risk industries so that scaling does not break the system. COREDO’s practice confirms: predictability and transparency of processes reduce time-to-market, increase the trust of banks and acquirers and make compliance a driver of growth, not a brake.

Registration of payment infrastructure

registration of a legal entity for the high-risk segment: not a formality, but part of the risk profile. Our experience at COREDO has shown that ownership structure (UBO), corporate transparency and availability of beneficial ownership registers in the EU and Asia directly affect access to banks, correspondent accounts and payment providers. I recommend starting with risk-based jurisdiction mapping: we assess the regulatory regime (AMLD5/AMLD6, PSD2), case law, banks’ attitude to MCC classifications and high-risk models, as well as local requirements for an AML officer and reporting.

Registering a legal entity in the EU to access banks makes sense if the payment model is thought through in advance: SEPA/SWIFT routes, possible access to local acquiring, requirements for KYB and source of funds/source of wealth. The solution developed at COREDO for clients in the Czech Republic and Estonia includes preparation of a KYB package, UBO verification, geographic and jurisdictional risk analysis and a transaction monitoring implementation plan. This increases the likelihood of passing the bank’s risk committee and reduces onboarding time.

Correspondent banking and counterparty risk remain critical. In the SWIFT payment chain sanctions monitoring, OFAC and international sanctions compliance are important, as well as control of exotic routes through third-party payment processors. In COREDO cases we implement combined checks: sanctions, PEP, adverse media and continuous synchronization of sanctions lists. Such duplication reduces the likelihood of false negatives in cross-border payments and maintains the required SAR rate.

Migration of payment providers during de-banking is a separate task. I’ve seen high-risk PSPs lose an acquirer due to chargeback ratio and non-compliance with PSD2 and AMLD. We restarted the infrastructure through reserve acquiring partners, reworked MCC coding and anti-fraud strategies for PSPs and aggregators. Important lesson: prepare a “warm” reserve — an alternative PSP, a PayFac model, and also a package for rapid repeat KYB with a new provider.

Payment facilitators and merchant onboarding require precise profiling of merchant risk, MCC validation and implementation of KYC and KYB for high-risk merchants. The COREDO team implemented multi-level onboarding schemes: basic KYC/KYB, then EDD (enhanced Due Diligence) for complex clients, including documenting sources of funds, beneficiary verification and adverse media. Such segmentation reduces frictions for low-risk sellers and protects from accumulation of latent risk in the long tail of merchants.

Compliance: risk-based approach and EDD

risk-based approach to transaction screening is a standard that turns AML into a probability-management system. I insist that the risk appetite be formalized in policy: which geographies are acceptable, which goods/services are excluded by MCC, how we assess payment structuring (smurfing) and layered schemes. This approach makes it easier to tune AML rules and reduce false positives without compromising security.

KYC/KYB: it’s not just collecting identity documents and corporate extracts. In a high-risk environment combined checks are needed: document verification (OCR), liveness, customer authentication, biometric verification and beneficial ownership (UBO) checks. In COREDO projects we combined data enrichment via global data providers, entity resolution for corporate clients and adverse media monitoring to rule out synthetic identity and hidden connections.

In the VASP and AML segment when working with cryptocurrencies the linkage is important: licensing requirements (for example, registration in Estonia or in several Asian hubs), blockchain analytics and a travel rule policy. Using blockchain analytics to trace transactions enables detection of high-risk sources (mixers, sanctioned wallets) and supports preparation and filing of SARs/reports of suspicious activity. In one COREDO case EDD procedures for a VASP reduced risk by 40% according to an internal model, and escalation time was halved.

Trade-based money laundering (TBML) in payment flows is often underestimated. We encountered document forgery/substitution, false valuation of goods, inflated invoices and anomalous refund schemes. TBML control requires matching logistics, price benchmarks, counterparty profiles and graph analytics across the supplier network. Paired with sanctions monitoring this is a powerful barrier against circumventing restrictions via trade transactions.

Geographic and jurisdictional risk must be measurable. I rely on FATF recommendations and risk assessments, as well as on local regulatory requirements in the EU, Asia and the CIS. We adapt scoring models taking into account FinCEN guidance on high-risk sectors, local lists and the specifics of bank de-risking. This is especially important in transit jurisdictions where counterparty risk and de-banking can flare up suddenly.

Transaction monitoring and anti-fraud

AML architecture: real-time vs batch monitoring: a key design decision. In high-risk verticals you can’t avoid real-time: instant payments, cards and crypto move quickly, and time-to-detect determines losses. The solution developed at COREDO combines real-time alerts for high-priority scenarios and batch processing for complex transaction graph analysis and counterparty network analysis. Such a hybrid reduces load and improves TPR while keeping FPR under control.

Transaction monitoring rules and scenarios should cover patterns: structuring, geo-velocity, spikes in amount/frequency, chains through related counterparties, indicators of money laundering on refunds, fraud schemes with intermediaries and escrow abuse. We also include sanctions screening in cross-border payments at the counterparty and beneficiary level, plus management of false negatives through regular scenario validation.

Integration of AML with KYC authorization and 3DS is an important loop for card-present and card-not-present operations. Add device fingerprinting, behavioral biometrics and dynamic risk rules. For PSPs and aggregators, anti-fraud strategies should account for acquiring risk, chargeback fraud and maintain a healthy chargeback ratio for relationships with the acquirer. In one COREDO project, optimizing 3DS routines reduced fraud by 32% with no noticeable drop in conversion.

Data enrichment, entity resolution and graph analytics close the “blind spots”. I welcome the use of external sources, but insist on GDPR and data privacy: minimization of personal data, transparent retention policies and encryption at rest. From a channels perspective, control risks in SWIFT, SEPA and local ACH: differences in cut-off times, returns and reconciliation create operational gaps that bad actors exploit.

Scoring and explainability

Machine-learning-based transaction scoring models are applicable when you have enough labeled events and a mature validation process. In a high-risk environment ensemble models for transaction scoring that combine gradient boosting and simple rules perform well. For detecting anomalies using clustering and semi-supervised approaches we use reference profiles of merchants/payers and monitor spikes in activity.

A cost-benefit analysis of implementing AML systems and the ROI from automating AML and anti-fraud systems: a question for the CFO. We calculate the total compliance costs, the cost of SARs (in addition to direct operational hours this includes the risk of fines and lost revenue from false blocks), the economics of reducing chargebacks and fraud loss. In COREDO projects, RPA automation for alert handling and SAR preparation reduced TAT by 25–40%, and a 20% reduction in false positives often paid off the project within 6–9 months.

Managing false negatives requires careful tuning: regular analysis of “caught/missed” cases, retro-simulations and backtesting. I recommend allocating an independent quality control (QA) for compliance alerting to avoid confirmation of one’s own hypotheses and to maintain an objective assessment of risks.

Compliance: people, processes, outsourcing

AML duties officer and building the compliance function are the foundation. The AML officer sets the risk appetite, approves policies, oversees regulatory monitoring and AML reporting, escalates complex cases, and organizes preparation for regulatory audits and internal inspections. In mature PSPs and VASPs we also see separate roles for sanctions, KYC/KYB, monitoring and investigations, as well as a model owner for ML.

Outsourcing vs in-house AML: advantages and risks are balanced between control and speed. AML outsourcing allows you to quickly scale alert processing, implement 24/7 coverage and cover rare competencies (for example, TBML or crypto analytics). When choosing a provider and SLA I insist on checking quality controls, TAT speed, the possibility of an independent audit, staff redundancy and incident-management procedures. In a number of cases COREDO acted as an integrator: we built an in-house core and handed off peak load under SLA.

Regulatory requirements in the EU, Asia and the CIS vary, but the common framework includes: FATF, AMLD5/AMLD6 in the EU, PSD2 for cards and payments, OFAC and international sanctions, and FinCEN guidance for high-risk. I recommend a single global standard with local add-ons to avoid a ‘zoo’ of policies. This makes regulatory reviews and audit preparation easier, and simplifies staff training and the awareness program.

Data privacy, GDPR and data retention are mandatory lines of defense. I adhere to the principles of privacy by design: data segregation, role-based access control, encryption, masked data in analytics, and archiving and audit logs for investigations. We separately maintain incident management and escalation of suspicious cases: who makes the decision to block, how the client is notified, when a SAR is filed, and within what timeframe we perform a post-incident review.

Third-party and counterparty management is an area of heightened attention. Counterparty checks and supplier due diligence include risk profile, sanctions/PEP/adverse media, testing return and chargeback processes, as well as control of payment agents. If you operate as a PayFac, regular reviews of the merchant portfolio, MCCs and monitoring of transaction patterns are mandatory.

COREDO real-world cases

90–180 days to compliance: manager’s plan

1. Diagnostics. Audit of payment flows and AML risks, jurisdiction map, geographic risk assessment, inventory of MCCs and merchant portfolio, review of KYC/KYB and EDD. I record current metrics: FPR, TPR, precision, recall, time-to-detect, time-to-resolve, SAR rate.
2. Policies and risk appetite. We approve a risk-based approach, sanctions rules, SAR procedures, roles of the AML officer, third-party controls. We prepare compliance with AMLD5/AMLD6, PSD2 and local regulations, and synchronize OFAC/sanctions lists.
3. Monitoring architecture. We define real-time vs batch pipeline, transaction monitoring scenarios, integration of KYC with 3DS and anti-fraud, add device fingerprinting and behavioral biometrics. We connect data enrichment and entity resolution.
4. Automation and ML. We introduce RPA for handling alerts and preparing SARs, launch pilots of ML models (if data is available), set up explainability and model validation, and monitor drift detection. We define a plan to reduce false positives/negatives.
5. Operational resilience. SLAs for internal teams and outsourcing, incident management plan, escalation procedures, archiving and audit logs. We prepare documentation for regulatory inspections and internal audits.
6. Banking and providers. We update KYB packages for banks and PSPs, check correspondent chains, prepare fallback routes in case of de-banking. We update due diligence for vendors and payment agents.
7. Training and culture. Awareness program, training on TBML, sanctions screening, chargebacks and escrow abuse, regular tabletop exercises for compliance and risk management teams.

Private aspects are often forgotten.

• verification of the source of funds (source of funds) for large transfers should be standardized: standard templates, lists of acceptable documents, affiliation checks. This reduces TAT and lowers conflicts with clients. For source of wealth, keep decision logs and a link to external sources: this helps during audits.
• Models «refund = low risk» are flawed. Refunds are often used to “clean up” traces, and money-laundering indicators related to refunds should be included in the rules. Add checks for the time between payment and refund, the frequency, and beneficiary overlaps.
• Corporate transparency is more important than «speed of registration». Nominee directors and complex trusts without a business purpose raise questions with banks. I prefer simple structures with a clear UBO and understandable business logic – this increases trust and speeds up access to banks.
• Sanctions compliance is not a one-time check but an ongoing process. Sanctions lists and automatic synchronization, adverse media monitoring and updating scoring weights should be scheduled. Ignoring updates: a direct path to operational risks.

Maturity metrics and reporting

Key AML metrics — SAR rate, false positive rate, TAT and TTR — indicate not only efficiency but also the health of the process. Regulatory monitoring and AML reporting should include alert trends, escalation rate, share of EDD cases and the ratio of real-time to batch processing. In mature, well-tuned systems I see FPR steadily trending down while TPR remains stable and SAR volume is adequate.

Cost of SAR and overall compliance expenses: practical financial metrics. They can be optimized through automation and SLA review, but it’s important not to “cut back on security.” You should also capture savings from prevented fraud, reduced chargebacks and fewer fund freezes: this is what creates the ROI from automation.

Regulatory audits – no panic

Preparing for regulatory audits and internal inspections is about order in documentation and consistency of practice. I ask teams to keep an “audit shelf”: policies, playbooks, investigation examples, escalation logs, training reports, model cards and ML validation reports. The solution developed at COREDO includes a pre-audit review and dry run interviews with responsible persons to eliminate discrepancies.

The legal consequences of AML non-compliance can strike not only with fines but also through banks: de-risking, account freezes, and termination of correspondent banking relationships. Timely SARs, transparent reporting and effective communication with the regulator reduce reputational damage and demonstrate maturity.

Scaling without losing control

Scaling AML processes as a company grows is about modular architecture, backup providers, a unified data dictionary and a flexible risk model. I recommend roadmaps for 12–24 months: phases of geographic expansion, planning new licenses (including payment services and forex), updating anti-money laundering policies for payment service providers and an integration plan for new channels.

Scoring and anti-fraud models must evolve. Anomaly detection, graph analytics and ensembles are living components that require regular retraining and review. COREDO’s practice confirms: discipline in models and metrics reduces operational surprises and makes growth manageable.

Managing payment agents and PayFac: an area where a small oversight turns into a systemic problem. Regular portfolio reviews, MCCs, geographies, due diligence for suppliers and reputation risk checks through adverse media are not bureaucracy, but insurance against the “domino effect”.

What’s important to do today

If you run a business in a high-risk industry, take three steps. First, fix your risk appetite and a map of payment flows with clear “red zones”. Then check the resilience of onboarding: KYC/KYB, EDD, UBO, sanctions and sources of funds — without gaps and manual “workarounds”. And finally, assess the economics of automation: where RPA and ML will deliver quick wins in TAT, FPR and fraud reduction, and where it’s more critical to strengthen the team and processes.

COREDO is a team that brings together jurisdiction registration, Licensing (including VASP, payments and forex), AML consulting and an engineering approach to transaction monitoring. I am open to a conversation in the language of metrics, architecture and regulatory requirements. If you see that it’s time to turn compliance into a lever for growth, let’s discuss how to adapt the practices described to your scale and vertical.

Over ten years of managing COREDO I have become convinced: the speed and quality of compliance decision-making determine a company’s competitiveness no less than product and marketing. Regulation is tightening, sanctions regimes change dynamically, and clients want a fast onboarding solution without compromises. That is why OSINT checks of beneficiaries have become the foundation of our KYC/KYB approaches and a key supporting layer for AML controls.

COREDO’s practice confirms: properly built AML OSINT checks reduce the cost of due diligence, speed up the bank’s account decision and simplify Licensing (PI/EMI, crypto, forex). I often see how a single properly documented audit trail with links to registries and adverse media answers committee questions and saves weeks of communications.

UBO: How banks verify beneficiaries

Identification of the ultimate beneficial owner is not a formality but the central element of CDD/EDD procedures. Banks are required to conduct UBO checks taking into account ownership chains, nominal directors and trust structures. In my practice, a significant share of onboarding delays arises from incomplete tracking of indirect ownership.

Banks build beneficiary checks around several main layers: corporate structure (incorporation registers), sanctions checks of beneficiaries by OFAC/EU/UN, PEP and OSINT screening for adverse publications. The COREDO team has implemented dozens of complex cases where such a combined approach revealed hidden controllers and substantiated risk classification for the bank or regulator.

Risk-based approach FATF/AMLD5/6

PEP, sanctions, adverse media: screening

OSINT sources for banks: what works

Company and beneficial ownership registers in the EU

In the EU, the backbone is formed by public company registers and beneficiary registers of the EU. For the UK, Companies House with API and open filings, and in a number of EU countries beneficial ownership registers are available (with different access modes). We often use OpenCorporates for cross-checks and OpenCorporates owner checks help quickly build the “skeleton” of a structure.

Global LEI (Legal Entity Identifier) and GLEIF provide standardized entity identification and links to subsidiary structures. For Due Diligence this is valuable: LEI speeds up entity resolution, and links to GLEIF add trust when sharing with a bank. In our practice the combination of the national trade register, GLEIF and OpenCorporates provides a strong basis for further graph analysis of ownership.

Where to check UBOs in Asia and the CIS

Databases and panel data for KYC

Commercial databases for KYC speed up collecting corporate structures and financial profiles. Orbis (Bureau van Dijk) helps with international links, ownership history and directors. For sanctions and PEP we use OpenSanctions as a flexible layer, and for negative news — aggregators with NLP features. OSINT screening tools like Maltego, SpiderFoot and Recon-ng are indispensable in EDD cases involving complex chains.

How to handle adverse media

Social networks for owner checks (LinkedIn, Facebook, Instagram) are applicable within local laws. We use privacy-preserving search methods, capture screenshots with timestamps and always note the limits of reliability. Additionally, we use WHOIS and archives (Wayback Machine) to verify the digital footprint, especially for fintech startups without a long corporate history.

How to integrate OSINT into an AML validator

Compliance architecture benefits when OSINT is not kept “on the side”, but is embedded in the AML validator and case management. On COREDO projects we build an automated screening pipeline where external and internal sources are connected via API, and results undergo normalization, entity resolution and human-machine validation.

Entity resolution and name disambiguation

To increase precision without losing recall, the COREDO team configures multi-level attribute weights and introduces human-in-the-loop for “grey” cases. This hybrid approach reduces the false positive rate in KYC and makes the solution explainable to the compliance officer and an external auditor.

Ownership analysis and hidden beneficiaries

Beneficiary checks using graph analysis of connections pair well with data from GLEIF, OpenCorporates, Orbis and court filings. Such a “combo package” provides not only a visual, but also evidence that can be attached to the case file and used to defend the case before the regulator.

Screening APIs, SaaS and human-in-the-loop

Automating OSINT processes in a bank begins with choosing APIs for bulk beneficiary screening and integrating them into the AML case management system. In COREDO projects, SaaS OSINT platforms for banks and screening APIs are often used, covering sanctions, PEP and adverse media. For corporate structures, connectors to trade registers and OpenCorporates.

At the same time, human-in-the-loop remains mandatory, especially for EDD and disputed matches. We build workflow automation for due diligence: an automated process scans and prioritizes, an analyst confirms and documents, and the validator records the decision and creates an audit trail. Such a process is resilient to client base growth and meets regulator requirements.

Legal frameworks for risk-free OSINT collection

Legal restrictions on scraping in the EU and Asia (GDPR, local laws) are a topic I raise at every implementation. Access to open data does not mean freedom to collect and process it en masse without justification and notification. It is important to define the legal bases, retention periods, purposes and minimization mechanisms in advance.

GDPR and the legality of web scraping

GDPR and the processing of open data allow KYC/KYB when there is a lawful interest and a regulatory obligation, but require principles of minimization and transparency. I recommend recording the legal bases in the compliance policy and training the team to handle personal data in OSINT scenarios.

Evidence and explainability for the regulator

Explainability: the next layer. How to ensure explainability of OSINT results for the regulator? We keep the scoring rules, the weights used for attributes, the compliance officer’s rationale and a link to the primary source. This approach addresses questions during inspections and speeds up license approvals.

Performance and Quality Metrics

Without metrics, OSINT turns into a «black box». I insist on measurability: precision/recall in AML matching, false positive rate in KYC, share of manual escalations, average time per case and the quality of data sources. Metrics allow adjusting rules and proving the ROI of a business line initiative to the board of directors.

False positives: Precision/recall, FPR

SLA, data quality scoring, monitoring

Continuous monitoring vs one-time checks – the choice depends on risk and licensing. In the fintech segment we more often implement continuous monitoring of sanctions and adverse media, as well as quarterly reassessment of beneficiaries. Such a decision brings predictability and reduces the risk of regulatory sanctions.

Economics of an OSINT Platform: ROI and Budget

Deployment and Onboarding Costs

The budget depends on sources (public/commercial), onboarding volume, level of automation and storage requirements. For mid-size fintech players, basic integration of screening APIs, connecting registries and configuring an AML validator fit into a modular budget that is usually spread over 3–6 months. In the Cost per onboarding include licenses, infrastructure, analysts’ time and audit.

Scaling and time-to-onboard

Time-to-onboard metric: a key indicator of customer experience. Reducing time must not reduce quality, so human-in-the-loop and risk stratification are mandatory. Continuous monitoring covers residual risks and improves the overall compliance health of the portfolio.

COREDO cases and solutions

Here: a few examples from projects where the solution developed at COREDO helped secure licensing and bank onboarding without unnecessary delays. I deliberately generalize the details to preserve confidentiality.

UBO verification for a PI/EMI license

Thanks to graph analysis of ownership and entity resolution we quickly identified a previously missed director in an affiliated structure. Case management recorded the audit trail, and the regulator accepted the package without additional requests. As a result, time-to-onboard was halved, and the license was obtained on schedule.

AML OSINT for crypto in VARA/MAS/Estonia

A crypto provider operating in Dubai and Singapore was going through regulatory approvals (VARA/MAS) and bank onboarding in the EU. OSINT checks of beneficiaries included UAE free zone registries, ACRA in Singapore and the Estonian financial supervisor for VASP status. COREDO’s practice showed that a combination of OpenSanctions, Orbis and local court publications works well to identify reputational risks.

Asia and CIS counterparty due diligence

We identified the affiliation of two counterparties through a common UBO and historical links in registries. Documentation for the regulatory audit included data provenance, a reference list of sources and match explainability. The client received a clear, validated picture of risks and optimized contract terms.

Best practices and common mistakes

COREDO’s accumulated practice has produced a list of recommendations that improve the reliability of OSINT checks and reduce costs. Below is what most often distinguishes a mature process from “ad hoc searches” on the internet.

Banks conduct OSINT UBO checks in the EU.

• Defining the perimeter: corporate structure, jurisdictions, licenses, transaction volumes.
• Collecting the corporate database: EU public company registries, EU beneficial owner registries, OpenCorporates, GLEIF/LEI.
• Sanctions/PEP: OFAC SDN list, EU sanctions, UN sanctions, OpenSanctions; configuring matching rules.
• Adverse media: sources with NLP filters, negative news monitoring, linguistic specifics.
• Graph analysis: ownership chains, trusts, nominee directors, documents and company filings.
• EDD: public court registers, deal announcements and corporate news, WHOIS/Wayback for digital traces.
• Documentation: audit trail, data provenance, legal memo on GDPR/local laws, explainability of rules.
• Monitoring: continuous monitoring for sanctions and adverse media, periodic UBO review.

Implementation mistakes: how to avoid them

• Lack of a risk-based approach: the same depth of checks for all clients raises FPR and prolongs timelines.
• Ignoring local laws: legal restrictions on scraping in the EU and Asia and incorrect legal bases undermine protection in a dispute.
• Overestimating “major” sources: which open-source beneficial owner registries are considered reliable is an important question, but without local registries and court publications the picture is incomplete.
• Underestimating name ambiguity: to deal with name ambiguity and fraudulent pseudonyms – use entity resolution, alias detection and linguistics.
• Weak audit trail: without evidence collection for compliance it’s difficult to explain decisions and defend them during an inspection.
• Lack of SLAs and quality control: how to set SLAs with an OSINT data provider and manage data quality is key to process stability.

Legal and compliance issues when using social networks to verify owners are addressed through regulation, trained roles and data minimization. For dark web monitoring, maintain strict rules and separate tools so as not to mix it with basic KYC.

Beneficiary verification system with COREDO

The COREDO team has implemented projects in the EU, Asia and the CIS – from legal entity registration to obtaining financial licenses and comprehensive AML support. We know how to combine automated and manual beneficiary checks, configure tools for OSINT screening, document decisions and pass regulator audits. If your plan is scaling, entering new markets or obtaining licenses in a complex jurisdiction, COREDO’s practical solutions will help turn compliance into a manageable and measurable process.

Ultimately, reliability is built on three pillars: correct sources, the right architecture and a team that takes responsibility for the result. I have been developing this approach since 2016, and it consistently works – regardless of the country, licensing regime or industry.

I founded COREDO when it became clear: global expansion of companies is not constrained by the speed of registration or the cost of a license, but by management’s ability to manage AML and sanctions-compliance risks systematically and demonstrably. Over ten years the COREDO team has completed dozens of projects in the EU, the UK, Singapore and Dubai, helping clients register legal entities, obtain financial licenses (crypto, forex, payment services, fintech) and build viable AML programs. In this article I have compiled the practical experience and tools I use myself and that we implement for clients. It will address the personal liability of a director, the requirements for 2026, and how to turn compliance into a strategic advantage rather than a set of punitive risks.

Why the director is in the crosshairs

Fiduciary duties and the standard of care for directors imply duty of care and duty of loyalty: a director must reasonably organize the AML internal control system, provide resources, appoint a qualified MLRO/AML officer and document oversight. Delegation of AML functions reduces the operational burden, but does not remove residual responsibility. Our experience at COREDO has shown: it is timely oversight by the board of directors and the reporting line, supported by minutes and metrics, that becomes key exculpatory evidence when claims arise.

Frameworks 2020–2026: what is changing

The European AML directive 2026: it is not a single document but a final configuration: a single AML rule (AMLR), the institutionalization of supranational supervision and clarification of management’s responsibilities. In 2026 companies operate in an environment where directors are expected to provide active oversight, set a risk appetite, approve threshold indicators and demonstrate the effectiveness of monitoring systems. COREDO’s practice confirms: regulators and banks check not only the existence of policies but also their implementation, KYC/KYB data, the speed of investigations and the quality of SARs.

The director’s role in AML policy

The director is responsible for the full viability of the AML policy, not its PDF version. This includes setting the risk appetite, appointing and overseeing the MLRO, approving RBA matrices, transaction monitoring protocols for management and an independent channel for hotlines and internal reporting of breaches. The COREDO team builds reporting lines so that the MLRO has direct access to the board and can escalate incidents without delays.

Separate section: UBO disclosure and the director’s responsibility. In complex holding structures (including offshore links) the director must ensure transparency, verify beneficial owners and record in the minutes the grounds for relying on counterparties’ documentation. Otherwise the risks of criminal liability for AML increase, especially in schemes to conceal beneficiaries and nominee-arrangements, where the risks for nominee directors are many times higher.

Delegating CSP without losing control

Many companies rely on corporate service providers (CSPs) and external corporate services. This is rational but requires governance: SLAs with KPIs for KYC/KYB, checks of the provider’s compliance culture, regular audits and an incident playbook. The responsibility of corporate service providers does not replace the director’s personal responsibility, so contracts include disclaimers of liability and indemnification, but the director documents oversight and effectiveness testing.

How a director can reduce AML risks by 2026

I assemble a five-layer program: counterparties, transactions, sanctions/PEP, investigations and evidentiary base. This structure provides a quick overview for the board and a clear architecture for auditors.

Onboarding: KYC, KYB and EDD as a pipeline

• KYC customer screening for companies and KYB for corporate counterparties is built on risk stratification: jurisdiction, industry, product, channels. Enhanced due diligence (EDD) obligations are activated by red flags: complex trusts, politically exposed persons (PEP), links to high-risk countries, and cross-border transactions with atypical transaction economics.
• Sanctions compliance and the director’s personal risks require sanctions screening across multiple sanctions lists, PEP checks and conflict-of-interest management. To reduce false positives through data enrichment we connect external data and transaction context, which increases scoring accuracy.

Transaction monitoring and alerts

• Real-time transaction analytics and alerts are important, but their value is determined by the process: a closed loop from detection to investigation and SAR. The COREDO team implements a risk-based approach (RBA) in rules, configures threshold indicators and key AML metrics: investigation speed, FP rate, SAR rate and the share of cases with confirmed economic substance.
• For digital assets, AML requirements for directors include blockchain analytics and transfer tracing, accounting for the travel rule for virtual asset providers and risk management of crypto conversion services. AML specifics in DeFi and smart contracts require scenarios for self-hosted wallets, mixer risks and chains with bridges.

Documentation as protection for the director

• Directors and evidence of good faith (exculpatory evidence) are built on keeping compliance logs and proofs of good faith: board minutes, MLRO reports, a refusal-to-serve log, EDD checklists and the rationale for decisions on non-standard cases.
• The SAR filing process and MLRO duties are important not only legally but also reputationally. The director ensures resources for timely reporting of suspicious activities (SAR), as well as legal privilege and information sharing during investigations: through agreed channels with external lawyers.

Incident management and investigations

• A playbook for internal AML investigations includes triggers, team composition, timelines, evidence retention rules and a communication plan with banks and the FIU. Incident management for suspicious activities should complement, not replace, the SAR process.
• Remediation programs and appointing an independent monitor can be mitigating factors. COREDO’s practice confirms: a transparent remediation roadmap and checkpoints at 30/60/90 days help reduce regulatory risks.

Training for staff resilience

• A director’s AML duties in 2026 include personal training: training programs for top management and proof of AML training are recorded in HR systems and board minutes. This is critical as evidence in an AML investigation against the director.
• D&O insurance and AML risk coverage reduce financial consequences, but it’s important to understand exclusions in the D&O policy for AML breaches. I recommend an annual gap analysis: what is covered, what is excluded, and what limits are needed for cross-border claims.

Cooperation with banks and regulators

Interaction with regulators and investigations: an area where the director sets the tone. Regulators EBA, FIU, FCA, MAS, HKMA expect a mature dialogue: a clear reporting structure, readiness for thematic reviews and regulator inspections, and documented risk governance. In cross-border cases mutual legal assistance and international cooperation come into play, which requires consistency of data and a coherent legal strategy.

Interaction with banks and the director’s role in KYC processes go beyond the onboarding package. Correspondent banking and enhanced monitoring require advance preparation: a description of the business model, sources of funds, sanctions policy and an SAR playbook. The solution developed at COREDO includes a “dossier for the bank” with compliance metrics, which reduces the number of follow-up queries and speeds up onboarding at international banks.

AML Economics: CAPEX vs OPEX ROI Metrics

COREDO case studies: licenses, registration, AML

• EU and payment services. The COREDO team supported company registrations and obtaining EMI/PI licenses in the EU, building a sanctions screening policy, EDD protocols for high-risk clients and board oversight through quarterly MLRO reports. The correspondent bank approved the account after presentation of the “director’s dossier” with exculpatory documentation.
• Forex and investment services in Cyprus. For a multi-jurisdictional group we implemented AML procedures for holding structures, developed a risk appetite with threshold indicators and conducted an AML audit and formalized management’s responsibilities as an annual calendar. As a result, the company passed the regulator’s thematic review without sanctions.
• Crypto and digital assets in Estonia, the UK and Dubai. Our experience at COREDO showed that the travel rule and blockchain tracing require leadership attention. We built monitoring protocols, implemented a hot/cold wallets policy, addressed risks of crypto conversion services and established cooperation with the FIU on SARs. In Dubai the project was based on the local regulator’s requirements and international FATF standards.
• Asia and payment licenses. In Singapore the project included third-party risk management and vendor management, the intersection of GDPR-like rules with AML, as well as interaction with banks on KYC. The client obtained a license, and the board received clear performance metrics.

In all cases we took into account risk-based Due Diligence in M&A and the risk of personal liability, especially when acquiring portfolios inherited from regulated entities. In two projects the board approved defensive strategies: exculpatory documentation and protocols for closing historical “tails”.

Board risk management

Compliance culture and board accountability are evident in three situations: during scaling, in a liquidity crisis, and when winding down the company’s operations and the risks to former directors. In the wind-down phase the director documents client exits, notifications to regulators, data retention and the end of monitoring; otherwise civil-law sanctions and disqualification from managing a company are possible.

Transfer and Transitional Provisions 2026

Director’s daily plan: concrete steps

1. Week 1–2: update the risk map, approve the risk appetite and AML threshold indicators. Re-check UBO disclosures and beneficiary registers, close documentation gaps.
2. Week 3–4: conduct a sanctions screening stress test, review PEP and EDD protocols for high-risk clients. Approve onboarding workflows and red-flag indicators.
3. Week 5–6: launch an audit of transaction monitoring, evaluate real-time alerts, implement reduction of false positives through data enrichment. Configure key AML metrics and board reports.
4. Week 7–8: conduct training for the board, MLRO and senior executives; record evidence of training. Update the D&O policy and verify exceptions related to AML violations.
5. Week 9–10: sign SLAs with the CSP and critical vendors, strengthen supplier risk management and the board’s accountability. Re-check the SAR filing process and legal privilege.
6. Week 11–12: conduct a thematic review of readiness for a regulatory visit, prepare exculpatory evidence: minutes, reports, decision log, remediation plan.

What the director gets: managed risk

Conclusions

I believe in compliance as a growth strategy. A director who invests in AML governance gains a sustainable business model and demonstrable integrity. The COREDO team helps to move from policy on paper to a living system: from company registration and obtaining financial licenses to building AML procedures for holding structures, digital assets and complex cross-border models.

If you are preparing your business for the 2026 requirements, start with manageable steps: risk appetite, board oversight, monitoring technologies, documented SAR practice and management training. COREDO’s practice confirms: this order of actions reduces directors’ personal AML-related risks and strengthens the company’s position in the international market.

When I launched COREDO in 2016, fintech seemed like a race of ideas. Today it’s not ideas that win, but sustainable models: legally sound, regulatorily mature, and operationally reliable. Over the years the COREDO team has implemented dozens of projects for registering legal entities in the EU and Asia, obtaining electronic money (EMI) licenses, setting up AML/CFT, and providing comprehensive support for payment businesses. In this article I have compiled what actually works, where entrepreneurs typically “lose” time and capital, and how to build a roadmap to a license so that in a year we are discussing scaling, not remediation.

Why it makes sense to build an EMI in the EU today

The EU payments market remains one of the most sizable and predictable. The EMD2 and PSD2 regulatory framework sets clear rules, and the passporting mechanism allows services to scale quickly across the Union. For many of our clients, registering a payment company in the EU is not only about access to SEPA and IBAN, but also about access to a reliable correspondent network and partnerships with leading card providers.

Regulatory map: EMD2, PSD2, EBA and national regulators

At the core: the Electronic Money Directive (EMD2) and the Second Payment Services Directive (PSD2). The first defines what electronic money is and how to issue it; the second sets the framework for payment services, access to accounts and security requirements. EBA recommendations complete the picture: from governance and internal controls to incident reporting and outsourcing requirements.

National regulators — Bank of Lithuania, Central Bank of Ireland, BaFin, ACPR/ Banque de France, De Nederlandsche Bank, Banco de España and others — implement these rules through local guidance and expectations. It is important to understand the principle of home state control vs host state supervision: obtaining an EMI license in the country of domicile and operating across the EU via passporting is easier than trying to obtain several local licenses.

Choosing a country for an EMI license: a strategic crossroads

COREDO often starts with the question: how to choose an EU country with the lowest regulatory risks for an EMI license? I suggest looking at four dimensions at once: EMI capital and substance requirements, timelines for obtaining an EMI license and the regulator’s readiness to engage in dialogue, the availability of banking infrastructure and correspondent relationships, and the total cost — from licensing fees to OPEX for compliance and reporting.

Lithuanian EMI license: advantages and risks

EMI license Ireland: requirements and expectations

The Central Bank of Ireland is traditionally strict on governance, the senior managers regime and independent directors. In return, Ireland provides strong access to the talent pool and the ecosystem of international payments players. Requirements for cybersecurity and operational resilience here are above average, but predictable. If your goal is partnerships with global brands and a project with a high level of risk management, Ireland is a strong option.

Malta EMI license: for fintechs with an international model

Capital, own funds and safeguarding: financial resilience of EMI

Minimum initial capital for an EMI in the EU depends on the business model, but basic thresholds are defined by EMD2 and local acts. In addition to start-up capital, regulators expect own funds, calculated according to prudential requirements taking into account issuance volumes and payment operations. In COREDO’s practice, confirmation of the source of capital and the stability of funding is one of the first things we prepare for the meeting with the supervisor.

Safeguarding is the cornerstone. Requirements for the safekeeping of funds (safeguarding) imply segregation of client funds in trust accounts or segregated accounts, or insurance/guarantee mechanisms. We choose the option taking into account the availability of banks and the cost of capital. The solution developed by COREDO for one of the projects included a multi-bank safeguarding model with automatic rebalancing according to risk limits.

Correspondent banks and access to SEPA/IBAN

Organizational structure and substance

Subsidiary vs branch: it’s not only a matter of legal formality, but also regulatory perception. A subsidiary structure gives more sovereignty over governance and independent directors; a branch can sometimes speed up the process but is more complicated regarding local management and tax substance. I prefer the subsidiary model for an EU electronic money license if the goal is long-term scalability.

Place of effective management (mind and management), risk/audit committees and independent directors are not “tick-boxes” but the basis of dialogue with the regulator. Fit and proper tests for key executives assess not only experience but also the ability to challenge risk. In COREDO projects we set up in advance the calendar of meetings, responsibility matrices and evidence of local management involvement.

Tax substance and transfer pricing for EMIs: areas of increased scrutiny. It is important that functions and risks are located where the income arises, and that the transfer pricing policy is documented. This directly affects the perception of substance and reduces regulatory risks of an EMI license during cross-border inspections.

Licensing procedure: from the business plan to interaction with the regulator

Fit and proper, senior managers regime and governance: an area where many waste time. The regulator assesses the management team, their powers, independence and the system of internal control. In one project the COREDO team replaced “nominal” roles with real functional leaders, added an independent director with banking experience and disclosed the risk escalation mechanism; the application passed the interview without additional cycles.

Timing and cost. Typical licensing timelines are 6–12+ months, depending on the country and the applicant’s readiness. Costs for obtaining an EMI license consist of consultants’ fees, government charges, audit costs and the launch of internal systems. Annual OPEX includes compliance, reporting, audit, AML systems, cybersecurity and the board of directors. I always advise allowing a 12–18 month financial “buffer” to withstand pauses on regulator queries.

AML/CFT and compliance: a system trusted by banks and regulators

EU regulators operate according to AMLD5/AMLD6, FATF and EBA recommendations. The working standard, a risk-based approach to AML: client segmentation, KYC/CDD by risk levels, PEP screening, sanctions screening, geographic indicators and continuous revision of risk profiles. For one client COREDO implemented KYC-as-a-Service with independent verification and centralized third-party management: this reduced CAC and simplified auditing.

Transaction monitoring is the heart of the system. You need a combination of rules, scenarios and machine learning, clear thresholds for CTR, STR procedures and escalation protocols. It’s important to ensure end-to-end traceability of the solution: from trigger to report. We often carry out a cost-benefit analysis of AML systems implementation to avoid “gold-plated” IT and preserve alerting accuracy.

Outsourcing and third-party risk is an area where regulators have become stricter. In contracts for cloud hosting and KYC providers we establish the right to audit, BCP/DR plans, data location requirements and incident reporting deadlines. The COREDO team pre-defines control points and termination criteria to avoid vendor lock-in.

Technological and operational resilience

Cybersecurity and incident reporting, a mandatory layer. You need policies on access, encryption, vulnerability management, penetration testing and response plans. Regulators expect incident reports within set deadlines and evidence of lessons learned from incidents. GDPR defines the contours of working with personal data, consents, DPIA and data subject rights.

Market strategy and ROI

ROI metrics for an EMI should be pragmatic: CAC by segments, LTV accounting for churn and interbank fees, unit economics by product, payback period. I ask teams to show base, realistic and stress scenarios, including de-risking by banks and delays in integrations.

Passporting and scaling in the EU is a strong driver of ROI. But remember host state supervision: some countries impose additional requirements on notifications, marketing localization or reporting. At the initial stage we focus on 3–5 countries with the best ratio of market size to requirements.

Scaling in Asia and the Middle East requires different approaches. Singapore and Dubai have separate licensing regimes; EU passporting does not work there. COREDO supports clients in these jurisdictions through local licenses and partnerships, often using the European EMI as an “anchor” center of competence and risk management.

Risks and scenarios: from revocation to remediation plans

Grounds for license revocation: systemic safeguarding failures, insufficient capital, weak AML/CFT, a management vacuum, critical incidents without remediation. In COREDO’s roadmap there is always a playbook: triggers for capital reinforcement, quick provider replacement, AML forensics and communication with the regulator.

COREDO Case Studies

• Registration of a payment company in the EU with passporting. Client: a multcontinental group, target segment: SMB cross-border. We prepared the business plan, financial model, governance, substance, conducted a fit-and-proper assessment, obtained an EMI license and set up passporting for five countries. Result, entry into SEPA in 10 months and stable access to correspondent banks.
• Launch of an EMI for a crypto-fiat on-ramp. Task: clear separation of e-money and digital assets. The COREDO team developed a tokenization policy, AML/CFT for conversion scenarios, sanctions screening and transaction monitoring. The regulator accepted the architecture, correspondent banks approved safeguarded accounts provided that flows were segregated.
• AML remediation and restoration of banking access. The client faced de-risking and a requirement to strengthen monitoring. COREDO’s practice proved effective: targeted calibration of scenarios, implementation of independent KYC and team training, revision of thresholds for STR/CTR. Within 90 days we restored two correspondent lines and closed the regulatory order.

Answers to common strategic questions

• What are the key regulatory risks for a business when opening an EMI in the EU and how to mitigate them? These are capital adequacy, safeguarding, AML/CFT, governance and cyber resilience. We mitigate them through early gap analysis, capital stress testing, an independent AML audit, BCP/DR and an incident reporting plan.
• How to compare licensing cost, capital requirements and time-to-market? We build a matrix: country × time-to-market × minimum capital × banking availability × OPEX. We take into account license fees and administrative expenses, as well as cost of compliance over a 3-year horizon.
• Which ROI metrics to use? CAC, LTV, unit economics by transaction types, share of safeguarding cost in revenue, payback and NPV with a risk discount.
• How to structure a corporate group and operating model to scale across Europe and Asia? A subsidiary in the EU as the licensing hub, branches for operations and marketing, separate local licenses in Asia, shared services for IT/AML, and a transparent TP model.
• What are the long-term consequences for banking access from choosing a jurisdiction? The choice of country affects banks’ perception, the speed of account openings, access to SEPA and partnerships with card schemes. A jurisdiction with strong supervision can increase banks’ trust, but will require higher OPEX.
• Which exit scenarios and license revocation risks should be planned for in advance? A remediation plan, capital strengthening under stress, provider switch options, M&A and mothballing operations with protection of client funds.
• What requirements for the place of effective management and substance are critical? Local directors, making key decisions in the licensing country, physical presence, independent committees and documented functions.
• What is the typical cost of annual compliance (OPEX) and how to optimize it? It includes audit and reporting for EMI, AML systems, cybersecurity, board of directors, software licenses. We optimize through risk-oriented outsourcing, KYC-as-a-Service, harmonizing reporting under the EBA and automation of monitoring.

Practical checklist from COREDO before applying to an EMI

• Confirm minimum own capital and sources of funds, calculate own funds according to prudential requirements taking into account peak volumes.
• Demonstrate safeguarding mechanisms: agreements for trust/segregated accounts, daily reconciliation policy, backup bank.
• Establish governance: independent directors, committees, authority matrix, conflicts of interest policy.
• Build AML/CFT: KYC/CDD, PEP and sanctions screening, transaction monitoring, STR/CTR, training, internal audit.
• Prepare the technology base: cybersecurity requirements for EMI, incident log, BCP/DR plan, DPIA under GDPR.
• Describe outsourcing and third-party management: SLA, audit rights, data location, replacement plans.
• Develop a market entry strategy and financial model: ROI, CAC/LTV, de-risking scenarios, a map of passporting and local requirements.

How we work at COREDO: process, roles, transparency

The project roadmap typically includes four stages: pre-licensing diagnostics and jurisdiction strategy; governance, AML, and IT architecture; compilation and submission of the application package, interaction with the regulator; launch of operations, passporting, and reporting setup. Each phase has readiness metrics and checkpoints, and communications follow the timeline agreed upon at the start.

Conclusion: what to do now

• Identify target markets and align them with passporting opportunities. If Asia is a priority, add local licenses to the scaling plan.
• Conduct an honest gap analysis on capital, safeguarding, AML/CFT and IT. Fix the gaps before engaging with the regulator.
• Prepare the team for fit and proper: real roles, independent directors, a clear governance calendar.
• Early dialogue with correspondent banks is critical. Without safeguarded accounts, a license doesn’t turn into a business.
• Assess ROI and OPEX across three scenarios. A strong financial model is your language with the regulator and banks.

COREDO builds projects that are a pleasure to look at years later. If you’re designing an EMI license in the EU, looking for answers on PSD2 and EMI licensing, planning passporting and a bank relationship strategy, we have practical solutions and the experience to deliver results. Contact us, and together we’ll turn your idea into a sustainable payments business.

I have been managing COREDO since 2016 and I see: the relocation of a fintech company between jurisdictions is no longer an exception. It is a practical tool for managing regulatory risks, scaling and reducing operating costs. But every fintech company relocation is not just about a “new license”; it is about the business model, substance, the AML framework and resilience to supervisory stress.

When should fintech companies change their jurisdiction?

Relocation makes sense when the combination of regulatory pressure, bank de-risking and the tax model makes the current jurisdiction less competitive. Often the trigger is a change in rules, for example requirements for safeguarding client funds or capital adequacy for EMI/PI, which have sharply affected unit economics. In that case relocation allows you to preserve margins and access to payment rails.

The second scenario is limited scalability. If PSD2 passporting is unavailable or has been lost after corporate changes, or local rules do not recognise the agent or distribution model, it is sensible to consider restructuring: a subsidiary in the EU, a local license instead of an agency scheme, or moving core functions to a jurisdiction with stable banking access. COREDO’s practice confirms: a timely transition prevents the cascade risk of correspondent account closures and loss of the client base.

Risks and the business model of relocating

Regulatory mapping and gap analysis

Any project begins with regulatory mapping: we build a map of requirements in the current and target jurisdictions, compare PSD2/EMI/PI, MiCA/AMLD5–AMLD6, local safeguarding and governance rules. The COREDO team has implemented dozens of such maps and sees a recurring pattern: significant “gaps” lie in governance (the role of independent directors, frequency of committees), transaction monitoring (SAR rules, TMS scenarios) and data governance (GDPR, data localization).

How relocation affects business and ROI

Change of jurisdiction affects ROI through four channels: capital requirements (capital adequacy for EMI/PI), the cost of safeguarding (trust vs ring-fencing), compliance costs (CCO staff, TMS/RegTech), and taxes (transfer pricing, tax residency of management and the company). The solution developed at COREDO includes a financial model with sensitivity to de-risking of correspondents, sanctions screening and the probability of onsite inspections.

We reduce the financial model to metrics: CAC/LTV after transfer, the share of AML-related blocks, delays in cross-border payments (SEPA/SWIFT), and the “license price” in annual operating costs. With significant capital controls or currency regulation we add a liquidity risk coefficient.

Structure, substance and governance

Substance: not about the “legal address.” Regulators test managerial substance: whether management decisions are actually made in the jurisdiction, whether there is an office, key personnel, regular board meetings. I constantly stress to clients: lack of substance is a direct risk of license refusal and subsequent supervisory enforcement.

Corporate structure and tax optimization during relocation must comply with transfer pricing rules and tests of beneficial ownership of income. We use a matrix: functions (governance, risk management, AML), assets (TMS, core banking), risks (credit, operational) — and allocate them among group companies so that the tax residency of management does not conflict with the license and reporting.

Correspondent account compliance

The COREDO team implemented a sanctions framework for clients taking into account the FATF greylist, international sanctions control networks and local advisories. This helped protect positions in the payment rails and reduce the risk of sudden disconnections.

Licensing PSD2, EMI/PI, MiCA and VASP

Licensing and “migration” of licences comes to the fore when a company changes jurisdiction or product matrix: this concerns PSD2, EMI/PI, MiCA and VASP. Let’s examine which elements can actually be transferred when changing jurisdiction, and what will require re-certification and adaptation to new requirements.

License transfer when changing jurisdiction

The term “migration of an e-money licence” or “transfer of a payment institution licence” is often used, but literally the licence does not “move”. In most cases it refers to obtaining a new licence in the target jurisdiction, parallel work on passporting (if available in the EEA) and a structured wind-down of the old permission. Exceptions: rare cases of re-domiciliation while preserving legal succession, but this is rather a corporate reorganisation followed by reauthorisation.

Registration of an entity for PSD2 passporting

registration of a legal entity in the EU for fintech is not a formality, but the foundation for passporting. License passporting under PSD2 within the EEA allows providing payment services via notifications, but does not replace a local licence outside the EEA. Equivalence decisions improve cooperation and sometimes speed up banks’ due diligence, but do not substitute authorisations.

Safeguarding and capital requirements

Capital requirements for EMI/PI depend on the volume of operations and the risk profile; capital adequacy is an area of close attention during relocation. I separately review models for safeguarding client funds: trust accounts, ring-fencing, escrow and trustee accounts. Regulators assess the frequency of reconciliation, the procedure for liquidity stress-testing and plans in the event of a partner bank default.

Liquidity and e-money requirements include rules on the immediate availability of funds and the independence of managers of client funds from the company’s commercial cashflow. During the transition period it is critical to ensure continuity of safeguarding and the correct transfer of balances.

MiCA, VASP and the travel rule in crypto

Licensing a crypto company in the EU is undergoing qualitative changes because of MiCA. VASP registration in Europe increasingly becomes a full authorisation with an emphasis on governance, risk management and consumer protection. The travel rule for crypto transactions is becoming a standard; non-compliance is a frequent reason for banks to refuse service.

Licensing timelines

Agreements on mutual recognition of licences are encountered sporadically, more often in capital markets or insurance, and not in payments and e-money. Therefore, when relocating a fintech I rely on local licensing or passporting within the EEA.

Sanctions framework during AML/CTF relocation

risk-based approach in AMLD5/AMLD6

Risk-based approach is the basic methodology. We combine FATF recommendations, AMLD5 and AMLD6 requirements and local empirical regulatory practices. The risk matrix includes geography, product type, customer behavior, partner and agent risk. FIU reporting obligations are documented specifying transaction thresholds, SLAs for filing SAR/STR and escalation procedures.

KYC, CDD, EDD and UBO

KYC/CDD policies should cover identity, address and source-of-funds verification; EDD should pay attention to PEPs and customers from high-risk jurisdictions. KYB (Know Your Business) is mandatory for partners and agents, including verification of corporate structure, UBO and sanctions status.

Verification of beneficial owners (UBO) during relocation is often complicated by differences in beneficial ownership registers and the public availability of data. We use multiple sources to verify the beneficial owner: government registers, international databases, data provider reports and corporate documents with an apostille. This reduces the risk of a bank refusing onboarding.

Transaction monitoring and RegTech

Transaction Monitoring systems and SAR rules: the heart of the AML framework. I insist on risk-scoring models responsive to the patterns of the specific business, and on effectiveness metrics: share of alerts resulting in SARs, alert closure time, and escalation rate. AML monitoring metrics and KPIs for the CCO are formalized in the policy and reviewed quarterly.

Integration of AML systems during mergers and relocation requires migration of historical data, regression testing of rules and their implementation into core banking and TMS. The solution developed at COREDO includes a RegTech stack (KYC, KYB, TMS) taking into account GDPR, data localization and performance at peak volumes.

Sanctions and high-risk jurisdictions

Sanctions compliance: not only screening for OFAC/EU, but also a policy to control transactions with high-risk jurisdictions, monitoring the FATF greylist and local restrictions. The sanctions framework should be validated by regular testing, staff training and independent audit.

Operational: data, payment rails

Operational issues include data, payment rails and outsourcing, three pillars on which regulatory compliance and service quality depend.

GDPR, localization and data privacy

Cross-border data transfers are subject to GDPR requirements and local personal data protection laws. Data localization may be required for specific markets; we define storage architecture and access routes in advance. Privacy conflicts between blockchain technologies and regulators are resolved through selective disclosure, cryptographic proofs and the delineation of controller and processor roles.

Payment rails and anti-fraud

Cross-border payment rails (SEPA, SWIFT, IBAN) require strict compliance with AML and sanctions procedures. Anti-fraud controls and chargeback management must be synchronized with the TMS to avoid conflicting decisions and reduce false positives.

PSD2 SCA requirements for authentication apply in parallel. Incorrect SCA implementation hurts conversion, so we validate UX and risk-scoring for exemptions while maintaining compliance with regulatory expectations.

Compliance outsourcing and agents

Outsourcing compliance functions saves costs but carries risk. Regulators require the licensed entity to retain decision-making responsibility, to supervise the provider and to have a business continuity plan. I recommend splitting outsourcing into operational (KYC onboarding, screening) and analytical (model risk management) and explicitly defining metrics.

Agent banking and the agent distribution model are powerful tools, but regulatory traps are obvious: limits on delegating licensed functions, requirements for agent training and monitoring, and KYB for partner networks.

Safeguarding and wind-down during relocation

The contingency plan (contingency planning) provides for surrendering the licence and an orderly wind-down if relocation takes longer or the regulator requires additional conditions. This reduces legal and reputational risks.

Taxes and reporting in corporate governance

Tax issues, accurate reporting and corporate governance practices directly affect a business’s financial stability and managerial risks.

Tax consequences of transfer pricing

Tax consequences of changing a fintech’s jurisdiction affect overall profitability. Analysis of regulators’ expectations regarding transfer pricing and taxes is no less necessary than licensing analysis. Group reporting, transfer pricing policy and allocation of functions in the value chain must be aligned with substance and risk management.

Supervision and reporting

Whistleblowing processes and internal investigations are a mandatory component. They are part of a risk management culture and an important element during inspections.

How governance affects reputation

The impact of corporate governance on obtaining a license cannot be underestimated. The composition of the board of directors, independent members, risk and compliance committees: these are signals to the regulator. Legal entity management during restructuring must ensure continuity of authority and transparency of beneficial ownership.

Reputational risk management and crisis PR are not secondary. Regulators and banks closely monitor incident management, information disclosure and readiness for stress.

M&A and due diligence: exit strategies

In M&A transactions for fintech companies, a detailed Due Diligence is especially important — it shows not only the financial condition but also the resilience of the technology platform and compliance with regulatory requirements.

Due diligence when buying a fintech

Acquiring a licensed asset speeds up market entry but increases risks. Due diligence when buying a fintech in another jurisdiction includes vendor due diligence, third-party risk, KYB checks of counterparties and agent networks. We check the quality of AML programs, the history of FIU reporting, inspection results and outstanding regulatory orders.

Mistakes when opening a subsidiary

De-risking by banks and the closure of correspondent accounts often follow from an unclear business model. Therefore I always include a bank relationship management program at the planning stage.

License refusal: Plan B

The assessment of costs and return on investment (ROI) of relocation is updated at every stage: new information from the regulator, requirements for staffing or safeguarding can change the initial assumptions.

COREDO case studies: three relocation scenarios

Relocating a payments business to the EU

Client: a payment organization with a PI in one EU country. Goal – expansion to multiple EEA markets. We conducted regulatory mapping, assessed PSD2 license passporting, prepared notifications and agreed on a plan to expand the agent network. At the same time we strengthened safeguarding: opened additional trust accounts and implemented daily reconciliation.

Licensing a crypto company under MiCA

Client: a wallets and exchange services provider. We compiled a licensing checklist under MiCA, prepared KYC/CDD and EDD policies for PEPs, integrated the travel rule and on-chain analytics into the TMS. Special attention was paid to GDPR and cross-border transfer of personal data, including a DPIA and DPAs with providers.

Relocation between Asia and Europe

A fintech licensed in Asia planned to enter the EU. We compared local license requirements in the EU and sandbox opportunities (FCA/BaFin), assessed substance and the tax residency of management. Interaction with the Asian regulator took into account the lack of mutual recognition of licenses, so we built a separate European structure with transparent transfer pricing.

Step-by-step plan: timeline

Preliminary audit (2–4 weeks)

• Regulatory mapping and gap analysis.
• Financial model: ROI, capital adequacy, safeguarding cost.
• Assessment of substance, UBO and governance, sanctions and AML risk.

Registration of legal entity and substance (4–8 weeks)

• company registration, opening an office, hiring key personnel.
• Governance setup: committees, independent directors, conflict of interest policy.
• Protocols for relationships with correspondent banks and agents.

Licensing (3–9 months)

• Preparation of package for EMI/PI or VASP/MiCA.
• AML implementation/KYC/CDD/EDD, TMS and sanctions screening.
• Pre-approval consultations, responses to regulator requests, sandbox pilots if necessary.

Client and funds migration (4–12 weeks)

• Plan for transfer of operations, notifications, contractual framework, travel rule and cross-border payments.
• Safeguarding transfer: escrow/trustee, reconciliation, testing period.
• Procedure for license termination and transfer of operations in the old jurisdiction.

Post-licensing oversight (12 months)

• KPI for CCO, AML monitoring metrics, independent audit.
• Onsite readiness, regular reports, whistleblowing processes.
• Continuous improvement program and stress tests.

Fintech relocation checklist

• Regulatory mapping and gap analysis for PSD2, MiCA, AMLD5/AMLD6.
• Assessment of license passporting vs local license requirements.
• Substance plan: office, staff, managerial substance tests.
• Governance: board of directors, committees, CCO role policy.
• AML program: risk-based approach, KYC/CDD, enhanced due diligence for PEPs.
• KYB for partners and agents, vendor due diligence and third-party risk.
• TMS: transaction monitoring, SAR rules, integration into core banking.
• Sanctions compliance: OFAC/EU screening, control of high-risk jurisdictions, FATF greylist.
• Safeguarding: trust vs ring-fencing, escrow and trustee accounts, liquidity tests.
• Payment rails: SEPA, SWIFT, IBAN; anti-fraud and chargeback management.
• GDPR: cross-border data transfers, data localization, DPIA and DPA.
• Taxes: transfer pricing, tax residency of management and the company.
• Supervision: FIU reporting obligations, supervisory cooperation, regulatory notifications.
• Exit strategies: license refusal, contingency planning, license surrender and wind-down.
• RegTech stack: AML, KYC, KYB, TMS; performance metrics and SLAs.
• Plan for managing correspondent banks and de-risking consequences.
• Analysis of equivalence decisions and mutual recognition agreements (where applicable).
• Local agency networks and restrictions on delegating licensed functions.
• Verification of data sources for verifying beneficial owners.
• Reputational risk management and crisis PR.

COREDO’s role as a partner

The COREDO team has delivered projects in the EU, the UK, Singapore and Dubai while maintaining operational continuity, correctly migrating safeguarding and with predictable timelines for obtaining approvals. If you are preparing a change of jurisdiction for a fintech license, VASP registration in Europe, migration of a payment institution model, or implementing MiCA/PSD2/SCA, join the conversation at an early stage. My colleagues and I will apply a methodology proven by dozens of projects and build an architecture that will withstand supervisory reviews and deliver the ROI that motivates relocation.

Greetings — I’m the CEO and founder of COREDO. Since 2016, our team has been helping entrepreneurs from Europe, Asia and the CIS build sustainable international businesses. We focus on company formation, obtaining financial licenses, AML consulting and full legal support – from Due Diligence to asset protection.

Registering a company abroad opens doors to new markets, but requires a precise understanding of local regulations. As CEO of COREDO, I personally take part in designing international structures, negotiating with banks and preparing companies for licensing. We build solutions so they simultaneously meet the requirements of the registrar, the bank and the compliance officer — without “on-the-fly rework”. Our experience at COREDO has shown that entrepreneurs often face regulatory traps, problems with banks and document inconsistencies. I will explain how to avoid these barriers based on real cases, and provide practical strategies for your success. From 2016 to 2026 we have supported projects in various scenarios: from “quick launches” of trading companies to complex structures with licensing, banking committees and annual compliance audits. The most common time losses for entrepreneurs are not the registration itself, but repeated submissions to banks and reworking documents to meet compliance requirements.

Therefore below I will describe exactly the points where the process usually “breaks down”.

Choosing a jurisdiction for business

Choosing the right country is the foundation of your project. In 2026 substance is not a “box‑ticking” office but proof of where management decisions are actually made and economic value is created (board minutes, local employees, contracts, expenses, control of functions). Banks and tax authorities increasingly look at the actual “place of management” rather than the registered address. The COREDO team analyses not only tax rates but also substance requirements (requirements for the real presence of the business), political stability and sanction risks.

The key factor was not the speed of registration but a pre-prepared “bank-ready” package: ownership structure, description of the business model, sources of funds and an operational process plan. This is most often what decides the fate of the account and the onboarding of payment providers.

COREDO’s practice confirms: always carry out a multi-level analysis. Consider access to EU markets (via the Czech Republic or Slovakia for manufacturing), residence permit programs (Cyprus or Portugal) and licensing opportunities (United Kingdom for forex).

Registration steps: from documents to launch

Registration is not a formality but a strategic process. Our approach at COREDO: a full turnkey cycle with legal outsourcing.

1. Document preparation. Standard package, articles of association, memorandum of association, proof of address and beneficial owners’ KYC. An error in an operating agreement in Asia once delayed a client’s project by months – we revised it taking into account local rules, and the client launched on time.
2. Choosing the legal entity form. In Poland, an SPI (small payment institution) is suitable for payment services; in Lithuania – a UAB for crypto. COREDO’s team completed the registration of an NPI in Poland: we took AML requirements into account and obtained the license in 3 months.
3. Registration through official portals. In the Czech Republic: via Justice.cz, in Estonia, the e-Business Register. We use accredited agents, including clauses in contracts about force majeure and liability for regulations. In practice, the timeline is most often “eaten up” not by registration but by the compliance part: clarifications about UBO, sources of funds, contracts with counterparties and confirmation of the operating model. Therefore we prepare answers in advance to standard bank and regulator queries so as not to lose weeks to correspondence and re-submissions.
4. Account opening. It is important to understand the bank’s logic: it assesses not only the company’s documents but also the risk profile of the model (products, client geography, volumes, counterparties), UBO transparency, sources of funds/wealth and readiness for ongoing monitoring. Therefore the “account package” should be assembled as for due diligence: a brief business memorandum, a cash flow diagram, compliance policy and proof of real activity. Banks check substance: office, employees, reporting. COREDO practice: preliminary due diligence of the document package guarantees approval in 95% of cases – from HSBC in the United Kingdom to OCBC in Singapore.

Obtaining financial licenses: crypto and banks

Licenses: the key to legitimate operations. It is important to distinguish “company registration” from regulated activities: payment services, exchange/storage of crypto-assets, investment services and forex almost always include licensing triggers. An error at this stage leads to bank refusals and risks of operating “in the gray zone”, so we always perform a preliminary qualification of activities and regulatory positioning before submitting documents. COREDO specializes in crypto licenses (Lithuania, Estonia), payment (Poland NPI/SPI), forex (Cyprus CySEC) and banking (Switzerland).

AML consulting: protection against risks

AML is not a “set of documents” but an operational risk management system: who your client is, where the money comes from, which transactions are normal for your profile and which are a trigger. Companies that embed AML from the start are less likely to face freezes, sudden bank inquiries and loss of payment infrastructure. Regulations like the EU AMLR and FATF require transaction monitoring, customer due diligence and a risk-based approach.

beneficial ownership transparency is mandatory: we use UBO registers in the EU. COREDO practice: an annual compliance audit prevents 80% of fines.

Support: from registration to scaling

COREDO предлагает не разовые услуги, а партнерство. Legal outsourcing включает договорной due diligence, legal opinions, споры с банками и регистрацию ТМ.

Our experience with hundreds of projects proves: a systematic approach saves time and resources. Clients receive transparent timelines, fixed fees and support at all stages – from idea to IPO preparation.

Final recommendations

Invest in expertise in advance. Start with a risk audit: substance, sanctions, AML. Choose jurisdictions based on your goals – the EU for markets, Asia for hubs. Trust teams with a track record, like COREDO.

In 2026, those who design legal and compliance architecture in advance, rather than react to problems after the fact, will win.
If you are ready to take the step – contact us. Together we will build your global business.

As CEO and founder of COREDO, I see daily how financial companies in Europe, Asia and the CIS face growing challenges: from strict EU regulations to market volatility in Dubai and Singapore. The role of internal audit goes beyond simple checks; it becomes a strategic tool that strengthens financial resilience and increases the ROI of operations. Our experience at COREDO confirms: companies that implement a systematized internal audit minimize risks and accelerate business scaling. Over the past years, dozens of financial entities have gone through COREDO projects: fintech startups, payment institutions, investment companies and licensed providers of financial services. We have supported clients not only in planned audits but also in crisis situations during regulatory inspections, banking investigations and preparations for licensing.

In this article I will examine how internal audit integrates into the daily processes of financial firms, based on practices the COREDO team has applied for clients in the Czech Republic, Cyprus, Estonia and the United Kingdom. We’ll help you understand how to implement it to reduce costs, ensure compliance with regulations and provide an objective assessment of operations.

Internal audit in financial companies

According to the standards of the Institute of Internal Auditors (IIA), it focuses on risk assessment: internal audit analyzes processes to identify weaknesses and propose improvements. In our work we rely on the combination of IIA Standards, COSO ERM and ISO 31000, building internal audit as a system: from a risk map and control environment to continuous monitoring and an advisory function for management.

The project began with fragmented processes and a lack of unified control. After implementing internal audit, the company was able to standardize financial procedures, speed up report preparation and reduce the number of queries from banks and regulators

Financial internal audit: goals and objectives

financial audit within a company addresses key tasks: internal control of financial reporting, reliability of financial reporting and prevention of losses. The COREDO team carried out such audits for clients seeking licenses in the EU, where regulators require strict compliance.
These projects covered different business profiles – from startups to structures with international holdings, which made it possible to develop universal internal audit models for multi-jurisdictional requirements.
Goals are simple but powerful:

• Identification of weaknesses in accounting and reporting.
• Optimization of accounting policies to reduce costs.
• Control of cash flows to prevent leaks.

Internal audit in risk management

risk management internal audit, risk-oriented approach, where priority is given to high threats such as market volatility or ESG risks. As CEO of COREDO, I personally participate in designing internal audit functions, negotiating with regulators and building audit-frameworks for companies entering Licensing and international markets. In practice, risk-oriented audit means shifting from spot checks to a systemic analysis of processes: financial flows, IT systems, decision-making models and compliance with regulatory requirements.

Assessment of the Internal Control System

Internal audit within a company assesses its effectiveness by checking processes from legal entity registration to licensing. For regulators, banks and investors, it is the effectiveness of the internal control system that is the main indicator of a company’s maturity, not the presence of formal policies

COREDO’s practice confirms: to assess the effectiveness of internal control in financial companies in Asia we use KPI metrics – risk reduction of 20–30%, increased transparency. A client in the Czech Republic, while obtaining a crypto license, underwent our audit, which ensured operational efficiency and compliance with legislation.

Internal Audit in Corporate Governance

corporate governance audit strengthens corporate governance, integrating audit into strategic planning. The role of internal audit here is to provide audit recommendations that improve processes and build a corporate culture of openness.

Internal audit for compliance with regulations in the financial sector has become key to attracting investors, strengthening investor confidence.

How to implement an internal audit in a financial company

Implementation begins with analysis: identify audit risk and prioritize. Steps proven at COREDO:

1. Form a team or outsource: at COREDO we offer Legal outsourcing for startups.
2. Implement digitalization of internal audit using data analysis tools.
3. Measure the ROI of internal audit: calculate using the formula (reduction of losses + optimization) / costs. Our case studies show a 3–5x return in the first year.
4. Scale: strategic advantages of internal audit for scaling business in the EU – by scaling internal audit.

Success metrics in internal audit

Innovations in internal audit – digitization and AI for operational audits. The effectiveness of internal audit is measured by KPIs: reduction of financial risks, ROI from implementing an internal audit function, transparency metrics.

Example: in Cyprus, innovations in internal audit processes to reduce costs helped a bank integrate an ESG audit, preventing losses from volatility. How does internal audit prevent losses in times of market volatility? By preventing losses and through internal audit’s role in financial resilience.

Long-term benefits: control and growth

Internal audit increases the company’s financial resilience and investment ROI by providing transparent financial reporting and an objective assessment of performance. In our projects, companies with an established internal audit function were better able to navigate stress periods — regulatory changes, increases in transaction volumes, and investor scrutiny.

In COREDO, we’ve seen how an internal audit function integrates into corporate governance to attract investors; clients in Poland doubled their funding after our audits. How do you measure the effectiveness of internal audit by metrics of risk reduction and profit growth? Focus on KPIs: ROI, risk reduction, operational efficiency.

If you are scaling in Asia or the EU, should you implement an internal audit function? Today internal audit is not a cost center but a management infrastructure without which sustainable growth in a regulated financial environment is impossible. Yes: cost calculations show a quick return on investment. The COREDO team is ready to conduct a deep analysis and implement a systematized approach, as it has for hundreds of clients since 2016.

As the CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face a maze of AML regulations. Since 2016 our team has supported company registrations, obtaining financial licences and implementing compliance in key jurisdictions — from the Czech Republic and Cyprus to Singapore and Dubai. Today, as 6AMLD and the EU AML Regulation change the rules of the game and AMLA gains momentum, choosing the right approach determines success. In this article we analyze AML regulations in the EU, the UK and Switzerland, the key differences and the strategies the COREDO team applies for clients. You will receive practical tools to optimize CDD, reduce false positives and scale your business without risks. In recent years dozens of financial and investment structures have gone through COREDO projects: fintech startups, crypto providers, payment institutions, family offices and holding companies. We have supported clients during bank investigations, regulatory inspections, license interviews and AML remediation projects after fines. It is this hands-on experience that underpins the conclusions of this article.

AML during registration: why is it the main challenge?

As CEO of COREDO I personally take part in designing AML models, negotiating with banks and preparing clients for regulatory inspections. We build systems as if an audit by AMLA, the FCA or FINMA could start the next day.

Registering a legal entity abroad is not just a formality. COREDO’s experience shows: banks and regulators require substance and transparency from day one. In the EU, 6AMLD strengthens directors’ responsibility for beneficial ownership, in the UK post-Brexit AML focuses on SM&CR, and Switzerland through AMLO-FINMA and TLEA emphasizes a risk-based approach.

AML EU vs UK vs Switzerland

Let’s break down the AML comparison by key parameters. The solution developed at COREDO always starts with a risk matrix that takes into account 6AMLD enforcement, Swiss AMLA and UK AML rules.

In our work we use a multi-level AML model:

• regulatory layer (supervisory areas, licenses, AMLA/FCA/FINMA),
• control layer (CDD/EDD, transaction monitoring, SAR, training),
• operational layer (onboarding, IT architecture, data, reporting).

Implementation strategies: from registration to compliance

Implementation strategies: from registration to compliance is a comprehensive approach that enables businesses to consistently build a system for regulatory compliance while minimizing the risks of fines and reputational damage. Starting with registration with built-in AML, where correct configuration of onboarding checks plays a key role, companies avoid common mistakes and smoothly move to full compliance through risk assessment, policies and monitoring. Most AML failures occur not at the licensing stage but much earlier — during the design of the structure and the first banking contacts. Therefore, we always view registration as the first element of a compliance architecture, not as a separate legal service.

Registration with AML: common pitfalls

licensing: crypto, forex, payments

AML consulting: automation and scaling

For banks and regulators today, what matters is not so much policies as demonstrable effectiveness of systems: alert quality, speed of investigations, transparency of decisions. These are the parameters we build into AML architecture.

Long-term risks: how to minimize

COREDO offers internal AML department outsourcing: full support from registration to group-wide policies. Our approach is risk-based, with AI AML for false positives reduction and T+1 settlement impact. In all projects we operate on a regulator-first and bank-ready basis: each structure is designed to withstand inspection by the regulator, the bank and the auditor simultaneously.

Conclusion: AML as a competitive advantage

AML in 2026 is no longer about formal compliance with directives. It’s about business architecture, resilience to regulatory risks, and the ability to scale without losing access to banks, investors, and markets.

COREDO’s practice shows: when AML is integrated into the business structure — from company registration to transaction architecture and investor onboarding — it stops being a drag and becomes growth infrastructure. It is precisely this approach that companies choose today when they are focused not on a short-term launch but on a long-term presence in regulated markets.

As CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face challenges structuring investment businesses for effective investor onboarding. Our experience since 2016 in registering legal entities in the EU, Singapore, Dubai and other jurisdictions shows: the right investment structure accelerates investor onboarding, reduces risks and increases ROI. In this article I will explain how the COREDO team implements a scalable investment structure by integrating AML/KYC compliance and optimizing processes for your success. Over that time, dozens of investment structures have gone through COREDO projects: holdings, venture studios, family offices, private investment vehicles and fintech platforms. We have supported clients not only at the registration stage, but also during banking checks, licensing procedures, restructurings and scaling onboarding across multiple jurisdictions simultaneously.

Business structuring and investor onboarding

As CEO of COREDO I personally participate in developing structures for investment projects, negotiating with banks and licensing authorities and modeling investor onboarding flows. We build systems as if the regulator, the bank and the key investor arrived for an inspection on the same day.

This project started with disparate companies and manual procedures. After restructuring we built a unified investment architecture: a holding, operational SPVs and a centralized compliance framework, which allowed scaling onboarding without increasing operational costs.

In Asia, where we registered companies in Singapore, the focus is on local MAS regulations. One project: structuring a holding for onboarding with SPVs (special purpose vehicle) for cross-border investments. This minimized risks and accelerated onboarding for Asian and European partners.

Optimizing company structure for onboarding

Simplifying investor onboarding starts with the investment business structure, where every element serves speed and compliance. In practice we design the structure around the future investor journey: from first contact and KYC to profit distribution and exit from investments.

After implementation this model became a reference for other investment projects, where regulators and banks evaluated not only documents but also the real effectiveness of investor onboarding.

Mistakes in onboarding almost always cost more than a correct architecture at the start. We conduct Due Diligence at the company registration stage, analyzing investors’ risk appetite and sanction lists. Example: a client from Singapore was obtaining a crypto license; the solution developed at COREDO included escrow accounts and risk management in onboarding, which reduced capital outflow by 25%.

Optimizing onboarding in investment companies requires a welcome package for investors: a personalized portal with video guides, a portfolio dashboard and regular feedback.

Cross-border onboarding: EU, Asia, CIS

We combine cross-border onboarding in Asia with company registration in Asia. In Dubai and Singapore the COREDO team builds a hybrid structure (holding + fund) compliant with local requirements. For a client from the United Kingdom we created an investment committee with automated onboarding, ensuring cross-border compliance and reducing time to full productivity to 2 weeks.

In the CIS and EU the focus is on onboarding in the EU for investors: registration in the Czech Republic or Slovakia with NPI/SPI licenses for payment services.

Scaling an investment structure requires a corporate onboarding policy. At COREDO we use metrics: onboarding ROI metrics (ROI = (LTV – CAC)/CAC), cost of reaching productivity.

AML consulting and licensing

investment business to simplify onboarding»” src=”https://coredo.eu/wp-content/uploads/2026/01/aml_konsalting_i_litsenzirovanie_h3_img_3.webp”/>

financial licenses – the key to investor loyalty. The COREDO team assisted in obtaining banking, forex and payment licenses in Lithuania, Poland and Switzerland.

Comprehensive support includes Legal outsourcing: from legal opinion to trademark protection under the Madrid Protocol.

Plan from COREDO: practical steps

1. Audit and structure selection: We analyze your current model and propose structural optimization for onboarding (EU for stability, Asia for speed).
2. Company registration: Full cycle – from documents to accounts, including registration of entities for investments in Asia and the EU.
3. Licensing and AML: We implement KYC/AML procedures, automating them for progressive onboarding.
4. Onboarding launch: A checklist with gamification, regular feedback to investors and engagement in investment projects.
5. We track onboarding KPIs, adjusting to reduce capital outflow and increase ROI.

I welcome you as the CEO and founder of COREDO. Since 2016 our team has been assisting entrepreneurs from Europe, Asia and the CIS with company formation, obtaining financial licenses and ensuring AML compliance. I have seen fintech startups frequently encounter AML breaches that lead to massive fines — up to $150 million in the EU — account freezes and license revocations. Our experience at COREDO has shown that timely implementation of a risk‑based AML approach not only helps avoid these risks but also accelerates business growth. Over recent years dozens of fintech companies have gone through COREDO projects — from early-stage startups to licensed payment institutions and crypto providers. We have supported clients through regulatory inspections, bank investigations and licensing procedures in the EU, the UAE and Asia. The conclusions and recommendations below are drawn from these cases.

In this article I will analyze common AML violations in fintech, especially those relevant to Europe, Asia and the CIS, with practical examples. You will get practical steps on KYC/AML, transaction monitoring and SAR reporting to save time and build a transparent business.

AML violations in fintech startups and scaling

As CEO of COREDO I personally participate in designing AML models, crisis restructurings and preparing companies for regulatory inspections. We build compliance systems as if a regulator or bank could start an inspection tomorrow.

Fintech is growing rapidly, but regulators like the FCA in the UK, MAS in Singapore or Estonian authorities are tightening oversight. Typical AML violations: these are not accidents but systemic problems: weak KYC, ignoring high-risk clients and false system alerts. COREDO’s experience confirms: 70% of our fintech clients come after the first fines or blocks, and we help them recover. In most cases it’s not about a single violation but accumulated technical debt: outdated procedures, formal KYC, lack of monitoring scenarios and an unprepared team. It is exactly this «hidden gap» between regulator requirements and real processes that most often leads fintech to sanctions.

For example, for a client from the Czech Republic launching a payment platform in the EU, we identified gaps in CDD that could have cost them a license. After improvements they received a VASP license without delays.

KYC AML problems and CDD errors

KYC violations are the leading type of AML violations. Clients upload passport photos, but without verification via API or biometrics this doesn’t work. Add KYC CDD errors: superficial checks for PEP (Politically Exposed Persons) or high-risk clients from Asia lead to AML fines. A key fintech mistake is the lack of a dynamic risk model. A client goes through onboarding, but their risk profile is not reviewed when behavior, geography, volumes, and transaction types change. For regulators, this is a direct violation of the AML risk-based approach.

This project was later used as a reference model when scaling several other fintech platforms, where regulators were checking not documents but the effectiveness of AML processes in real time.

A practical step for you:

• Implement a multi-level CDD: basic for low-risk, EDD for PEP with sources of income and connections.
• Use a privacy-first approach: store data in accordance with GDPR to balance compliance and user experience.

In Singapore, where MAS requires a strict AML risk-based approach, our clients from Asia avoid KYC AML problems, obtaining payment licenses faster than competitors.

Transaction monitoring: detecting structuring

Our experience at COREDO showed: manual monitoring produces 90% false positives. For a Cypriot client with crypto operations we set up AI monitoring, focusing on velocity checks and geo-risks. Cryptocurrency AML challenges solved: ROI from automation: 300% in a year due to a 50% reduction in the compliance staff.

How to avoid it in your startup:

• Set up rules: flags on >10% of transactions from high-risk zones (Africa, cross-border).
• Reduce AML false positives: machine learning learns from your data, increasing accuracy up to 95%.
• For scaling in the EU apply FATF: risk-based scoring for high-risk AML clients.

SAR reporting: risks of delays

SAR reporting (Suspicious Activity Reports), an obligation under CFT. Delays lead to AML fines and license revocations. In the EU, for untimely SARs fintechs pay millions; in Asia MAS blocks operations.

Steps for your business:

• Set an SLA: SAR within 24 hours for suspicious transactions.
• Train your team on SAR in AML: focus on structuring and unusual patterns.
• For crypto in the EU: add wallet screening per the Travel Rule.

Risk-based approach to AML for scaling from COREDO

To avoid fines for KYC in Asian fintech, start with an audit. COREDO offers a full cycle: company registration in the Czech Republic, Slovakia, Cyprus or Estonia; obtaining banking, forex or payment licenses; AML consulting with due diligence.

Our approach:

• In-depth analysis of jurisdictions (substance, CRS/FATCA).
• Preparation of documents to standards (articles of association, operating agreement).
• Opening bank accounts, taking AML checks into account.
• Ongoing monitoring and compliance outsourcing.

Example: a British fintech expanded into Dubai through our registration. We provided AML compliance for the startup, including enhanced due diligence (EDD) for high-risk cases — MAS license obtained in 4 months.

COREDO, your partner at every stage: from idea to IPO. Get in touch — we’ll discuss how to adapt it to your business. Together we build sustainable growth without AML violations in fintech.

I welcome you as the CEO and founder of COREDO. Since 2016 our team has been helping entrepreneurs from Europe, Asia and the CIS overcome the barriers of international expansion. We focus on company formation, obtaining financial licenses and ensuring AML compliance, turning complex regulatory challenges into competitive advantages. In this article I will share a practical guide based on real experience: how to balance substance requirements with licensing, minimize risks and achieve tax benefits of 0-3% with real economic presence. Over the past 10 years we at COREDO have supported more than 280 international structures – from IP holdings and payments startups to licensed financial companies. We have been involved in projects with CySEC, Labuan FSA, FSC Mauritius, BVI FSC and ADGM, and have gone through regulatory interviews, substance audits and banking committees. All recommendations in the article are not theory but conclusions drawn from specific client cases.

Substance as the key to global markets in 2026

The COREDO team has repeatedly encountered this in practice: clients who ignored substance lost up to 6 months on re-registering structures.

It is precisely the CIGA logic that substance audits in the EU, BVI, Mauritius and Labuan are being structured around today.
COREDO’s practice confirms: for fintech startups in the EU CySEC requirements combine substance with KYC/EDD procedures, where the source of funds is checked at the start.

Steps to create economic substance: from analysis to compliance

Organize the process sequentially to save time. In our work we use a regulatory framework of four blocks: legal substance (structure and licenses), operational substance (personnel and processes), financial substance (expenses, capital, taxes) and compliance substance (AML, risk management, reporting). Without covering all four areas companies fail both tax audits and bank Due Diligence. Here is the algorithm we apply at COREDO for clients from Singapore and Dubai:

1. Formalize the business model. Indicate the geography of clients, relevant activities and risks. For crypto service providers (VASP) in Anguilla, Anguilla substance 2026 requires a local compliance officer and EDD for high-risk sectors such as FX or adult.
2. Choose a jurisdiction for your purposes. In the EU – Cyprus or Estonia for Crypto licenses EU and EMI/IBAN. In Asia: Labuan with Labuan FSA for trading companies: here Labuan substance audit focuses on digital reporting. BVI under the Economic Substance Act (ESA) is ideal for banking business: organize economic substance in the BVI with a local director. Mauritius with GBC structures balances substance and licenses for fintech: metrics such as real management and an annual audit by a trust company confirm tax incentives.
3. Gather evidence of substance. Prepare a legal opinion on substance for the classification of activities. Implement internal controls: the fintech compliance officer monitors AML/CFT, UBO disclosure and the due diligence checklist. For Mauritius, GBC substance is measured by the number of directors’ meetings and on-site decisions.
4. Simultaneously undergo KYC and bank due diligence. Banks require the articles of association, an extract from the register, a business plan and proof of sources of funding. The risks of lacking substance when opening an account are high: refusals increase by 40% in high-risk sectors.

Obtaining financial licenses for fintech and banks

As CEO of COREDO I personally participate in designing licensing projects, in negotiations with regulators and in preparation for supervisory reviews. We build models that are designed from the start to meet the requirements of regulators and banks’ risk committees, not for a formal «company registration».

Fintech Licensing: our strong suit. For a banking license or payment services in the EU go through the VASP frameworks with enhanced EDD. CySEC requirements for IT companies include a compliance officer and digital reporting to the FSC. In Asia Labuan FSA issues licenses for insurance and funds subject to a substance audit.

AML compliance and KYC: minimizing the risks of scaling

AML compliance: not bureaucracy, but business protection. Implement KYC procedures. In recent years we have assisted clients in dozens of enhanced due diligence procedures from banks and regulators. In practice we see: it is precisely a pre-established compliance framework that becomes the main factor why a company does not lose accounts, licenses and business partners when scaling.

Is it worth investing in a local team in the BVI for banking services? The ROI calculation is simple: savings on fines and taxes pay back the costs within a year.

Support: from registration to growth

registration from scratch vs a ready-made structure? Choose based on substance requirements: a shelf company speeds things up, but requires rapid adaptation. Our approach at COREDO is full-cycle: from jurisdiction selection to the annual audit. Clients from the United Kingdom and Estonia use us for IP holdings and holding companies, obtaining tax preferences when substance is demonstrated.

Ready to take the step? The COREDO team will ensure transparency, speed and support. Contact us; we’ll turn your idea into a global business.

Greetings, fellow entrepreneurs and chief financial officers. As CEO and founder of COREDO, I have been observing since 2016 how banks are tightening OSINT checks of beneficiaries before opening accounts or issuing licenses. Our experience at COREDO has shown: transparent verification of UBO (Ultimate Beneficial Owner, ultimate beneficial owners) using open sources is the key to fast compliance. In this article I will explain how banks perform OSINT, which OSINT sources they use, and give practical steps so your business passes these checks on the first try.

OSINT for beneficiary due diligence

Banks in the EU, Asia and the CIS are required to comply with KYC (Know Your Customer) and AML (Anti-Money Laundering) standards, including CTF (Counter-Terrorism Financing). An OSINT check is the collection of data from open sources to identify ownership chains, hidden UBOs and affiliated persons. For banks, OSINT is a way to confirm that the declared ownership structure matches reality. If the documents say one thing and open sources say another, OSINT always takes precedence. Even a minor discrepancy (date, affiliated company, media mention) automatically raises the client’s risk profile. COREDO’s practice confirms: 70% of refusals to open accounts are related to incomplete information about beneficiaries.

These cases rarely involve actual violations. In most cases a refusal is the result of poorly prepared onboarding: an incomplete UBO chain, lack of explanations for the origin of funds, or unaccounted affiliated connections. These problems are resolved in advance before contacting the bank.

The COREDO team integrates OSINT Due Diligence into company registration in the Czech Republic, Cyprus, Singapore or Estonia. For example, before submitting documents to a bank we conduct an internal check of ultimate owners to avoid red flags such as undisclosed PEPs (Politically Exposed Persons) or sanctions.

OSINT: banks’ tools for UBO verification

Bank compliance officers work from checklists. Their task is not to find “something bad” but to make sure that nothing is hidden. Therefore they combine automated OSINT platforms with manual analysis, especially if the client is connected to multiple jurisdictions or previously did business in the CIS.

Banks divide OSINT into passive OSINT (automated searches without direct contact) and active OSINT (deep analysis with cross-checks). Passive OSINT starts with databases like OpenCorporates, where we at COREDO track the client’s corporate structure. This reveals hidden owners through shareholder registers and property pledges.

OSINT sources for UBO in EU banks include:

• Orbis and Sayari for OSINT ownership chains – the platforms build link graphs showing affiliated persons.
• ICIJ offshore leaks and OCCRP Aleph for analyzing offshore structures.
• Sanctions Explorer from C4ADS for OSINT sanctions lists and PEP screening.

In Asia, banks like those in Singapore add local public procurement registers and financial statements.

Active OSINT is engaged when there are risks: banks check litigation through PACER or Court Listener, creditworthiness via SEC investment holdings. Active OSINT is never used “just because.” Its triggers are cross-border structures, high-risk jurisdictions, PEP factors, or discrepancies in basic databases. For the client this is a signal: standard onboarding no longer works, and without a structured report the process will be prolonged. The solution developed at COREDO combines these methods with scoring systems for due diligence: we assign scores to risks and propose mitigants.

How COREDO minimizes client risks

We structure OSINT not as a fragmented search, but as a managed process. The goal is not to “find everything”, but to assemble a picture that is understandable to the bank: logical, consistent and verifiable. This is a fundamental difference between the consulting approach and chaotic DIY checks.

Risks of hidden beneficiaries — the main headache: banks detect inconsistencies in OSINT due diligence of ownership chains. We acknowledge: even transparent structures require effort.

Beneficiary bank checks include managing UBO risks. In the EU, banks apply active OSINT to analyze affiliated persons, focusing on court records. COREDO practice: a client from the UK passed banks’ OSINT beneficiary checks thanks to our report on beneficial owners, which integrates data from 15+ sources.

In practice, clients most often ask three questions.

Answer: corporate registries + leaks (ICIJ, OCCRP) + graph databases.

Answer: through local registries, financial statements and cross-referencing with international databases.

Answer: yes, through preliminary OSINT due diligence before submitting to the bank.

Steps for OSINT checks

To pass KYC OSINT without delays, follow these steps — the COREDO team has refined them on hundreds of cases:

1. Collect basic UBO data: names, passports, addresses, ownership shares. Verify them yourself via OpenCorporates.
2. Conduct passive OSINT: Use banks’ OSINT sources like Orbis for the ownership chain.
3. Add active analysis: OSINT ownership-chain checks with sanctions and PEP screening via Sanctions Explorer.
4. Produce a report: Include scoring systems, visual connection graphs. We at COREDO provide a template.
5. Submit it to the bank in advance: This saves weeks. For licenses in the Czech Republic or Singapore we add substance evidence.

Scaling OSINT beneficiary checks is achieved through automation – banks see ROI in reduced fines of up to millions of euros. Our experience has shown: integrating the OSINT Framework into a bank’s KYC for PEP monitoring doubles approval speed.

COREDO – OSINT and registration

С 2016 года COREDO сопровождает бизнес в ЕС (Czech Republic, Slovakia, Cyprus, Estonia), the United Kingdom, Singapore and Dubai. Мы не просто регистрируем компании – проводим OSINT проверку конечных владельцев, помогаем с финансовыми лицензиями (крипто, платежные, форекс) и AML-консалтингом. Практика подтверждает: комплексный подход экономит клиентам время и ресурсы, строя долгосрочное партнерство.

Если вы планируете регистрацию или лицензию, наша команда подготовит OSINT-отчет под ваш банк. Свяжитесь, превратим вызовы в возможности.

I welcome you as the CEO and founder of COREDO. Since 2016 our team has accumulated deep experience in registering legal entities abroad, obtaining financial licenses, and AML consulting. Today I will share a practical approach to creating KYC policy for international groups that combines a unified KYC standard with local KYC adaptation to the requirements of the EU, Asia, and the CIS. This is not theory: these are solutions we apply for clients expanding business in the Czech Republic, Singapore, Dubai, or Estonia. In recent years we at COREDO have supported more than 120 cross-border structures where errors in KYC led to account blocks, license refusals, or repeated EDD reviews by banks. In most cases the problem was not “tough regulators” but the absence of a unified KYC logic at the group level – banks saw a fragmented picture of risks and shifted responsibility onto the client.

Why a unified KYC for scaling?

The key problem of the local approach is the absence of a single source of truth (single source of truth). As a result, the same UBO may be assigned different risk ratings in the EU and Asia, and when a bank requests information the group cannot quickly demonstrate the consistency of its AML position. For banks this is a direct red flag, especially in cross-border transactions and payment licenses.

The solution developed at COREDO is built on a global KYC risk appetite: we set common thresholds for PEP screening, sanctions lists (World-Check) and beneficiary checks. In practice the risk-based approach does not mean “checking everyone more strictly”, but differentiating control: low-risk clients pass fast-track CDD, medium-risk — standard onboarding with periodic review, high-risk — EDD with sources of funds, transactional logic and ongoing monitoring. This reduces the burden on compliance teams and speeds up scaling without increasing regulatory risk.

Key question: should a unified KYC standard be implemented or are local adaptations sufficient? The answer — a combination. FATF recommendations (40 principles) emphasize AML harmonization, but taking into account high-risk jurisdictions. Our experience at COREDO has shown: purely local approaches create desynchronization risks, especially during banks’ checks on the origin of capital.

Steps for implementing a global KYC framework

Start with an audit. The COREDO team conducts Customer Due Diligence (CDD) at the group level: mapping high-risk jurisdictions, analyzing the group’s capital structure and defining the global risk appetite. For a client from Asia registering an EU structure in Estonia, we integrated eKYC (electronic KYC) with eIDAS identification, providing remote verification without physical presence.

Step 1: Policy development. Create a KYC document for EU business (6AMLD requirements), KYC for Asian companies (Travel Rule IVMS) and a CIS adaptation. Important: KYC policy is not a static PDF “for the regulator”, but an operational tool. It must be embedded into onboarding processes, periodic review and escalation, with clear SLAs, responsible persons and decision logging. This is exactly what banks and licensing authorities expect during inspections. Include KYT monitoring, the shift from one-off KYC to continuous Know Your Transaction (KYT). COREDO practice: for a fintech group we set up RegTech for automation, logging verifications and ensuring KYC cybersecurity with data access controls.

Step 2: Local adaptation. A unified KYC standard is the core, but with overlays. In the EU we apply Enhanced Due Diligence (EDD) for PEPs and sanctions under 6AMLD. In Singapore — MAS guidelines on substance. In the CIS — focus on the beneficial ownership registry. Example: the European COREDO group helped synchronize with eIDAS regulations by implementing digital identity systems for digital onboarding.

Step 3: Appointment of an independent compliance officer. The role of an independent compliance officer is critical in international groups. They ensure compliance to the Board of Directors with veto power over onboarding and prepare independent reporting. For international groups it is essential that the compliance officer is independent from commercial pressure and has direct access to Board-level. EU regulators and those in Asia view this as an indicator of AML system maturity and trust in the group as a whole. In one project a COREDO officer blocked a high-risk client, saving the group fines under FATF recommendations.

Step 4: Transition to KYT and RegTech. The shift from KYC to continuous KYT monitoring pays off: ROI from a unified policy reaches 3–5x due to reduced fines (up to 10% of revenue under 6AMLD). KYT allows detecting deviations from the declared client profile: disproportionate turnovers, atypical counterparties, geographic shifts. These signals most often trigger SAR reports and bank investigations — and this is where RegTech delivers the greatest effect. We use regulatory technology (RegTech) for transaction logs auditing, Travel Rule compliance in EU-Asia transactions. For a client in Dubai we integrated Asian regulatory sandboxes for testing.

Cross-border KYC risk management

Unsynchronized procedures — the main headache. Risks: bank refusals, licensing delays (crypto, forex, payments). The COREDO team minimizes them through regulatory synchronization of KYC between the EU, Asia and the CIS. Example: when registering a payment company in Poland (NPI/SPI) we conducted CDD and EDD procedures, taking into account the Basel Committee and GDPR for cross-border data flows.

We determine the global risk appetite by target KYC markets: low-risk for EU retail, high-risk for Asian crypto. We implement sanctions-list screening and PEP (Politically Exposed Persons) checks. Plus internal system controls with logging of verifications. Frankly: there are challenges; the evolution of AMLD directives (the impact of 6AMLD on companies’ KYC procedures in 2025) requires annual updates. But with KYC/AML compliance from the COREDO group, they avoid 90% of problems.

Assessment of success and sustainability

Metrics: onboarding time (target <48 hours), % of successful bank verifications (>95%), ROI from compliance investments (30% reduction in operating costs). For CIS businesses the advantages of a global KYC framework are access to EU licenses without local mistakes. Our experience: a client with CIS roots opened a structure in the United Kingdom and Singapore, obtaining a banking license with harmonization of AML standards.

COREDO Practical Recommendations

• Group audit: Check KYC dossier storage for compliance with GDPR data protection.
• Automation: Implement eKYC with remote verification for high-risk jurisdictions mapping.
• Support: Provide Legal outsourcing for licenses – from crypto in Lithuania to forex in Switzerland.
• ROI calculation: Compare costs of duplicates (local KYC) vs. a unified framework, payback in 6–12 months.

In 2026 KYC ceased to be an auxiliary function — it is a strategic asset for the group. It affects time-to-market, cost of capital and banks’ trust. Companies that invest in a unified KYC framework scale faster and with lower regulatory costs.

When entrepreneurs from Europe, Asia and the CIS countries come to me for a consultation, almost always the same combination appears in their questions: where to register the company, how to obtain the required financial license and how to design AML so that regulators trust it and compliance doesn’t strangle the business.

Over the years that I have been leading COREDO, our team has gone with clients through the full cycle, from the idea of entering the EU or Singapore to a licensed and sustainable financial institution with a functioning risk-based AML model. In this article I want not just to list COREDO’s services, but to show how I think about the strategy of an international business structure and why the integration of registration, licensing and AML gives an entrepreneur a strategic advantage.

Logic of an international business structure

I always start the conversation not with jurisdictions, but with three questions:

1. What is your target market and product (fintech, forex, crypto, payments, B2B services)?
2. Which regulators and banks should trust you in 1–3 years?
3. How ready are you for formalization and transparency – from KYC to regular reporting?

The answers determine:

• where to register the head company (ES, UK, Czechia, Cyprus, Estonia, Singapore, Dubai, etc.);
• where to obtain financial licenses (payment, EMI, forex, investment, crypto licenses);
• how deeply to build the AML function and risk-based approach from the outset.

Registration of legal entities

The COREDO team has for many years been registering legal entities in the EU, Asia and the CIS: both individual companies and entire holding structures. It may seem like a basic service, but it is here that the architecture of the future model is laid down:

• tax consequences;
• substance requirements (office, employees, directors);
• potential regulatory requirements when licensing;
• the banks’ attitude toward your jurisdiction and ownership structure.

Which areas I cover

• Legal form
  For fintech and payment solutions, forms such as private limited / s.r.o. / OÜ and their equivalents are most often chosen, with a clear division of liability and a transparent capital structure.
• Role of particular jurisdictions
  Czechia and Slovakia are convenient for operational centres and local activities in the EU.
  Cyprus, Estonia, Latvia, Lithuania, Poland are often used for financial services, IT, payment solutions and licensed activities.
  United Kingdom: a good platform for international B2B‑services and financial infrastructure, especially in combination with licensing.
  Singapore and Dubai: key points for entering the markets of Asia and the Middle East.
• Practical setup of the process
  The COREDO team takes on the preparation of corporate documents, interaction with registration authorities, support for opening bank and EMI accounts, obtaining information about beneficiaries and their proper disclosure.

Financial licenses: how to build a strategy

obtaining a financial license, one of the most challenging stages. This concerns:

• payment and electronic money (PI/EMI, payment institutions);
• forex and investment services;
• crypto and VASP licenses;
• specialized authorizations for asset management.

COREDO focuses on licenses in EU jurisdictions (Czechia, Cyprus, Lithuania, Latvia, Poland, Germany, France, Switzerland, etc.), as well as in the United Kingdom, Singapore and a number of other countries.

Why Licensing without AML does not work

• risk-based AML model;
• real governance (directors, MLRO, internal controllers);
• the KYC/KYB system, transaction monitoring;
• the quality of internal policies and procedures.

AML and the risk-based approach in practice

In AML regulation, the risk-based approach (an approach based on risk assessment) has long been key. EU regulators, the UK, Singapore and other jurisdictions expect that:

• you understand your own risk profile (countries, products, clients, distribution channels);
• you have a formalized methodology for assessing risks;
• the compliance function’s resources are proportionate to actual risks;
• policies and procedures not only exist, but are applied.

How COREDO builds the AML framework

AML consulting at COREDO: not about “writing a policy just for the sake of a checkbox”. A typical project includes:

• Enterprise-wide risk assessment (EWRA) – a comprehensive risk assessment of the company taking into account countries, client types, products and channels.
• Development of AML/CFT policies and procedures tied to the requirements of the specific regulator (for example, in the EU: taking into account AMLD directives, local laws and supervisory guidelines).
• Establishing processes:
  • client identification and verification (KYC/KYB);
  • classification by risk levels;
  • transaction monitoring and detection of suspicious activity;
  • internal investigations and filing reports with the financial intelligence unit.
• Employee training and setting up regular knowledge updates.
• Support in dialogue with regulators and banks.

Legal and operational support after launch

COREDO was originally created as a company for long-term business support, not just for a “launch”. Today we cover the entire cycle:

• Legal services and protection: from the contractual framework to corporate changes and disputes with counterparties.
• Legal outsourcing – when it is uneconomical for a company to keep an in‑house legal department, but regular support is required in several jurisdictions.
• Legal support for financial institutions and resolution of disputes with banks and payment service providers.
• Registration and protection of trademarks in the EU, the UK and other countries, often in connection with market entry and licensing.
• Accounting outsourcing and financial reporting in accordance with the requirements of the jurisdiction of registration.

Comprehensive project at COREDO: from idea to business

To make it clearer how I organize the work, I will present a typical scenario of a comprehensive project.

Diagnostics and strategy

• Analysis of the business model, geography, and target audience.
• Determining target jurisdictions for registration and licenses (EU, UK, Singapore, Dubai, selected CIS countries).
• Map of regulatory requirements, expectations regarding AML and banking compliance practices.

Registration of legal entities

• Choosing company forms and names, preparing articles of association and corporate agreements.
• Registration in the chosen countries (for example, a parent structure in the EU, an operational fintech center in one of the jurisdictions with a developed regulatory framework).
• Support for account openings (banks, EMIs, payment systems).

Stage 3. Business licensing

• Preparation of a business plan and financial model in accordance with regulator requirements.
• Development of internal policies (including AML/CFT, risk management, IT security if necessary).
• Formation of the key persons team (directors, MLRO, compliance officers), preparation of their profiles and job descriptions.
• Communication with the regulator at all stages.

Building the AML function and operations

• Implementation of KYC/KYB procedures and risk-scoring.
• Setting up transaction monitoring, sometimes using third-party AML platforms, sometimes through the client’s internal solutions.
• Incident management procedures, case management for suspicious transactions.
• Staff training and testing procedures using real scenarios.

Long-term support of the site

• Updating policies and procedures taking into account regulatory changes.
• Support during regulator inspections and audits.
• Legal support for corporate changes and transactions.
• Registration of new trademarks, entry into additional markets, adaptation of the structure.

What to consider when choosing a partner

Entrepreneurs often ask me how to evaluate a consultant when everyone’s website says roughly the same thing. I recommend looking not at slogans but at four things:

1. Depth of expertise in target jurisdictions
   At COREDO the team works every day with company registration and licensing in the EU, Asia and the CIS, not just occasionally.
2. Real experience in the financial sector and AML
   If a consultant has no projects involving payment, crypto-, forex- and other licenses, it will be difficult for them to build a proper risk-based AML model. COREDO’s portfolio is built precisely around such tasks.
3. Integration of the legal, financial and AML units
   When different consultants are responsible for registration, licensing and AML, the client often becomes a hostage to inconsistency. The COREDO team aligns everything within a single logic, from group structure to reporting to regulators.
4. Ability to speak honestly about risks
   I always openly discuss limitations, risks and alternatives. It isn’t always pleasant in the moment, but this approach builds long-term trust.

How to use the article in practice

• registering a company abroad;
• obtaining one or more financial licenses;
• restructuring the AML‑function to align with current regulatory expectations;
• finding a long-term partner for legal and financial support.

• Clearly list your current and target client geographies and products.
• Determine which of the jurisdictions and license types described in the article are relevant to you.
• Assess how formalized your AML system is today and whether it aligns with a risk-based approach.
• Formulate 5–7 key questions you want answers to from a consultant.

I have been leading COREDO since 2016, and during that time hundreds of structures have gone through our projects: from European fintech startups and crypto platforms to Asian holdings with multi-level chains of owners. The more regulation becomes complex, the clearer one thing: beneficiary checks by banks and other financial organizations have long ceased to be a formal checkbox. It is a key element of risk management and access to the international financial infrastructure.

In this article I want to show how OSINT beneficiary checks work in practice, how banks view ultimate beneficial owners (UBO), and how an entrepreneur should arrange their structure and documents so as not to get stuck on compliance when opening an account, obtaining a license, or taking part in a deal.

Beneficiaries: the central point of risk

Today any bank, payment institution, crypto exchange or electronic money issuer builds AML/KYC processes around three questions:

1. Who actually controls the business (identification of beneficial owners, UBO)?
2. What is the source of funds and the value of assets?
3. What reputational and sanctions risk do the owners and related persons carry?

Therefore:

• KYC and beneficiaries are complemented by a full Due Diligence of beneficiaries, including analysis of affiliations, ownership chains and reputation.
• Most European and Asian regulators explicitly require a risk‑based approach: the more complex the structure and the higher the industry risk (crypto, forex, payment services, gambling, high-risk e‑commerce), the deeper the review should be.
• Banks are moving from “a tick-box for the regulator” to a model where OSINT as a bank risk management tool is embedded into credit risk, sanctions screening and even pricing.

In practice this means: if your beneficiaries and structure raise questions, you not only take longer to open an account – you lose access to key markets, licenses and investors.

How banks verify beneficial owners

Understanding what the verification of beneficial owners by banks is really built on starts with the basics: who exactly is behind the client and what formal data about them exists in documents and registries. At the KYC/KYB and formal identification level banks first build the “skeleton” of the check: they collect the minimally necessary information, confirm identity and ownership structure, and then move on to a deeper risk assessment and actual control.

Basic KYC/KYB level: formal identification

At onboarding the bank addresses the following tasks:

• identification of the legal entity (KYB): articles of association, registry, ownership structure;
• identification of beneficial owners: who owns or controls ≥ a certain threshold (usually 25%, sometimes 10%);
• checking documents and sanctions lists (OFAC, EU, UN, etc.), PEP‑status, basic AML client screening.

At this stage the classic set is used:

• corporate registries as a source of data on beneficial owners;
• international company and beneficial-owner databases (commercial providers);
• sanctions and PEP databases, negative news (negative news screening).

But for international structures and complex cases that’s not enough.

When EDD is triggered: verification of beneficial owners

EDD (enhanced due diligence) for beneficial owners is triggered when:

• complex verification of the ownership chain (multiple layers, holdings in several jurisdictions, offshore links);
• high-risk industry (crypto, fintech, forex, payment services, gambling);
• presence of PEPs, sanctioned jurisdictions or countries with weakened AML supervision;
• there are already negative signals from the media, court rulings, or the industry.

At this level OSINT becomes a mandatory tool in AML/KYC processes.

What is OSINT in compliance, and why is it needed?

• forming hypotheses (who the real controlling persons are, where the risks lie);
• link analysis, analysis of connections and affiliations;
• preparing an analytical dossier on the beneficiary with a risk assessment.

In the COREDO team’s work I roughly divide OSINT into:

• passive OSINT – collecting information without interacting with the subject (registries, media, social networks, databases, website archives);
• active OSINT – requests to relevant organizations, checks through industry communities, correlating data using indirect indicators.

OSINT sources for verifying beneficiaries

Key OSINT sources for verifying beneficiaries not only allow confirming the officially declared ownership structure, but also reveal hidden links, nominee owners and chains of organizations. In practice, registries and corporate databases become the main support, providing initial legal and financial data for further in-depth analysis.

Registries and corporate databases

Here the “skeleton” of the client’s corporate structure review is created:

• national corporate registries as an OSINT source:
• OSINT sources for identifying UBOs in Europe: company registries, sometimes separate UBO registries;
• OSINT sources for beneficiary checks in Asia: in some countries data are partially available, requiring combining several registries and commercial databases;
• international databases for beneficiary checks help see connections between companies in different countries and assess the group’s structure;
• comparative analysis: public registries vs. commercial databases and OSINT sources – we often see discrepancies in dates, ownership shares, positions, and this becomes a trigger for EDD.

In practical COREDO projects, analysis of corporate registries often helps uncover hidden beneficiaries through related companies and nominee owners.

Court judgments and enforcement proceedings

This is a goldmine for EDD:

• court judgments as an OSINT source when assessing beneficiaries: disputes with regulators, creditors, tax authorities, partners;
• databases of enforcement proceedings and bankruptcies – long-term behavior patterns, attempts to evade responsibility;
• recovery cases and forensics: how owners behaved in crisis situations.

Media and social networks

This is where the picture of reputational risks is formed:

• news and industry media: using news and media resources to check beneficiaries, negative news screening, investigative materials;
• media monitoring and negative publications about beneficiaries: not only high-profile scandals, but also local conflicts, accusations, regulatory claims;
• social networks as an OSINT source on beneficiaries: confirmation of biography, connections, involvement in projects, and SOCMINT (social media intelligence) to assess affiliation and behavioral patterns.

How to identify hidden and nominal beneficiaries

Hidden beneficiaries and nominal owners: a topic that banks and financial institutions face constantly, especially in international holding structures.

Analysis of affiliations and related parties

Here OSINT operates at the intersection of:

• matching addresses, directors, phone numbers, e-mail domains;
• the participation of the same individuals in multiple entities (often in different countries);
• cross-references in media, court decisions, industry publications.

Advanced search and OSINT Framework

Practical tools:

• using advanced search (Google Dorks) when checking UBOs — searching old press releases, cached pages, presentations where beneficiaries were mentioned before the ‘optimization’ of the structure;
• using the OSINT Framework when checking beneficiaries, systematizing sources by type (registries, social networks, media, technical data);
• analysis of domain histories, WHOIS, old versions of sites via web archives.

OSINT in banking, EDD, and AML systems

OSINT in the bank’s EDD process and AML systems is turning from an auxiliary tool into one of the key sources of information about a client’s risks and their environment. Proper integration of OSINT into the bank’s AML processes allows strengthening EDD checks with data from open sources, supplementing the results of commercial databases and internal systems.

Integration of OSINT into the bank’s AML processes

The bank cannot afford “manual” OSINT at an industrial scale. Therefore important:

• integration of OSINT into the bank’s AML systems: connecting external sources via API, automatic negative news screening, alerts for sanction changes;
• OSINT tools for financial institutions: web-scraping systems, media monitoring, SOCMINT, platforms for link analysis;
• continuous monitoring: regular dossier updates and monitoring of key beneficial owners.

OSINT in risk scoring and fraud detection

In mature models, OSINT data is fed not into a separate report, but directly into risk scoring:

• assessment of clients’ creditworthiness using OSINT: taking into account legal disputes, histories of defaults, conflicts with counterparties;
• OSINT in the investigation of financial crimes and money laundering – forensics, reconstruction of transaction chains, identification of nominee owners;
• OSINT as a tool for bank risk management: early detection of problematic beneficial owners before defaults occur.

As a result, the bank better understands who it is working with, and can more precisely adjust limits, pricing and terms.

How to prepare an OSINT check of beneficiaries

When I discuss with clients opening an account or obtaining a license in the EU, the UK, in Cyprus, Estonia, Singapore or Dubai, I always say the same thing: you need to prepare not only the documents but also your digital footprint.

What makes sense to do in advance:

• Transparent structure
  • minimize unnecessary intermediaries, especially in offshore jurisdictions without clear registries;
  • provide documented explanations of the ownership-chain verification: why the structure is the way it is, where added value is created, and where management is located.
• Data consistency
  • cross-check corporate registers, statutory documents, media profiles and the company’s website;
  • avoid situations where in one place the beneficiary is “advisor”, and in another, “founder and 100% owner”.
• Reputational audit using OSINT
  • conduct a preemptive check of beneficiaries’ reputational risks: media, court databases, professional communities;
  • if necessary – prepare explanations for contentious cases (for example, a conflict with a former partner, or a legal dispute that has been closed).
• Documentary support
  • prepare a package that meets not only formal requirements but also the logic of AML/EDD: business model, source of funds, key contracts;
  • for international structures: logically connect all parts from a business and tax perspective.

OSINT, company registration and licensing

OSINT, company registration and Licensing: a practical perspective helps businesses not only understand who they are dealing with, but also foresee legal and reputational risks when working with foreign jurisdictions. By analyzing public registers, licenses and corporate links, it is possible to build a safer strategy for registering a company abroad, minimizing the likelihood of mistakes and regulator claims.

Company registration abroad and OSINT

When registering companies in the EU, the UK, in Cyprus, in Estonia or in Asian centers (Singapore, Dubai), checking the client’s corporate structure and beneficiaries has become a standard part of the process:

• registrars and banks use OSINT to vet counterparties and partners, especially when the structure is international;
• regulators expect licensees to be able to conduct OSINT during client compliance checks;
• when licensing (crypto, payment, forex, investment services) the decision often depends on how transparent the UBO appears from an OSINT perspective.

Crypto and fintech licensing

• OSINT‑approaches to checking beneficiaries in high‑risk sectors (crypto, gambling, forex) include in‑depth analysis of media, industry investigations and business connections;
• sanctions checks and beneficiaries in such projects are supplemented by assessment of indirect links (countries, counterparties, sources of capital);
• OSINT in cross‑border transactions and foreign‑economic deals is becoming a mandatory part of AML policy/CTF.

Strategic questions for the owner and top executive

If you manage a banking group, a fintech company, or a large corporate business, I would ask myself the following questions:

• How integrated is OSINT screening of beneficiaries into the standard onboarding process?
• Do we have a unified standard for an analytical dossier on a beneficiary and its regular updating?
• What portion of the work is automated (web-scraping, API, alerts), and what is performed manually and at risk of “getting lost”?
• Do I understand which mistakes banks most often make when using OSINT: excessive trust in commercial databases, ignoring local sources, weak documentation of conclusions?
• Are our clients and their beneficiaries prepared for such depth of screening, or does every EDD case turn into crisis management?

Why OSINT is about management, not apprehension

From an entrepreneur’s perspective, OSINT‑checks are often perceived as a barrier. In practice it is a tool for:

• anticipating regulatory and sanctions risks;
• protecting the business from toxic partners and counterparties;
• improving the quality of decisions in M&A transactions, lending, and investments.

When entrepreneurs ask me what has changed most radically in international business in recent years, I answer with one word: sanctions. Sanctions restrictions are no longer just “background” – they shape the architecture of international holdings, determine access to banks, licenses, capital markets and even basic cross-border payments.

Since 2016 the team COREDO has been helping international companies build and restructure corporate structures in Europe, Asia and the CIS, obtain financial licenses, set up AML and sanctions compliance, pass bank KYC and maintain business resilience under the sanctions regimes of the EU, the US and the UK. In that time I have seen one thing: sanctions risk for business has become as fundamental a parameter as taxes or operating expenses.

How sanctions change the structure of business

The sanctions landscape has become multilayered:

• sanctions regimes of the EU, the US, and the UK with different listing criteria and different approaches to enforcement;
• secondary sanctions and risk to counterparties, when not only the sanctioned beneficiary but also the bank, exchange, or supplier serving them is targeted;
• financial sanctions and restrictions on payments, closure of correspondent accounts, bans on transactions in certain currencies;
• export controls and restrictions on the supply of technologies and dual-use goods.

At the level of ownership structure, this is reflected in three key effects:

1. Change in business ownership structure due to sanctions
   When a beneficiary or a key group company falls under EU or US sanctions, regulators and banks begin to view the entire ownership chain as potentially sanction‑tainted. This increases the risk of blocking sanctions and asset freezes even in friendly jurisdictions.
2. Shift of focus from tax optimization to sanctions resilience
   International tax planning continues to play a role, but the priority shifts: first sanctions resilience of the business model and corporate structure, then tax efficiency, then operational flexibility.
3. Restructuring international holdings under sanctions pressure
   Classic chains with a single central holding in a nominally “neutral” jurisdiction no longer always work. More often we move to multi-level architectures: master-holding, regional sub-holdings, separation of sanction-sensitive and “clean” business lines (spin-off, carve-out of sanctioned assets).

How to assess sanctions risks in a group

When an owner or CFO comes to me with the phrase «we need to do something with the holding, banks have started blocking payments», I never start by choosing a jurisdiction. The first step is an audit of the sanctions resilience of the corporate structure.

The project usually starts with three blocks:

1. Mapping the structure and ownership chains
   The COREDO team requests:
   • the current diagram of the international holding;
   • a list of beneficiaries (UBO), controlling persons and directors;
   • a list of all jurisdictions of presence: holdings, operating companies, SPVs, funds, trusts;
   • intragroup agreements: loans, guarantees, IP licenses, allocation of functions and risks.

   At this stage it is important not just to draw the «company tree», but to understand actual control and operational substance: where key decisions are made, where the directors are located, where actual activity is carried out.

2. Sanctions screening of beneficiaries and companies
   We conduct sanctions screening of beneficiaries, directors, key counterparties and banking partners against EU, US (OFAC SDN/Sectoral), UK lists, as well as local lists in jurisdictions of presence.

   At this stage it is important not only whether someone is present/absent on the lists, but also the assessment of:

   • the degree of risk under the «50% rule» (when aggregate ownership by sanctioned persons is ≥50%);
   • the probability of individual shareholders and top management being included in sanctions lists in the coming years;
   • the degree of contamination of ownership chains.
3. Modeling sanctions scenarios

   For significant groups we model sanctions scenarios:

   • what will happen if one of the key beneficiaries is sanctioned;
   • how inclusion on the SDN list will affect access to correspondent banking in euros and dollars;
   • which assets will be frozen and in which jurisdictions;
   • how the expansion of EU and US sanctions in 2026 will affect current supply chains, licenses, IP and the capital market.
   We then use such a sanctions risk matrix as a basis for designing the new corporate architecture.

Restructuring of international holding structures

Once the risk picture is clear, the main question arises: targeted adjustments or a complete restructuring of the international holding.

Case logic: from cosmetic fixes to redomiciliation

In COREDO’s practice, I conventionally divide situations into three levels:

1. Cosmetic adjustment
   Example: a holding in the EU, beneficiaries are not under sanctions, but banks have tightened sanctions compliance and started regularly requesting UBO disclosure, source of funds, and transaction documents.

   The solution developed by COREDO here usually includes:

   • adjusting the group’s sanctions policy and the KYC package to the requirements of international banks;
   • reworking standard contracts to include sanctions clauses;
   • implementing a formalized sanctions screening of counterparties and documenting the economic substance of transactions.
2. Structural fine-tuning
   Example: an international holding with operating companies in the EU and Asia, some shareholders are located in a sanctions-sensitive jurisdiction, and banks have begun blocking certain transactions.

   Here we are already talking about:

   • changing ownership chains to reduce sanctions risk for subsidiaries;
   • possible separation of individual assets into a separate holding structure (ring‑fencing sanctions risks);
   • diversification of jurisdictions for holding and operating companies (Europe + Asia, using neutral jurisdictions with a stable legal system).
3. Deep restructuring / redomiciliation
   Example: a beneficiary is listed on sanctions lists, the existing holding in Europe has some assets already at risk of freezing, banks refuse to service it and close correspondent accounts.

   In such cases, the COREDO team has carried out projects including:

   • redomiciliation of the international holding to a jurisdiction that is more resilient to sanctions;
   • re-registering the holding in a friendly jurisdiction while retaining control, complying with substance requirements, and minimizing tax risks;
   • a possible spin‑off and separation of the business into a sanctions-sensitive part and a “clean” segment to protect investment appeal and the ability to work with global partners.

Choosing a Jurisdiction for a Holding Company After Sanctions

The question I hear most often: “Which jurisdiction is currently the safest from a sanctions perspective?” There is no universal answer, but there is a set of criteria we follow at COREDO.

Key Selection Criteria

When choosing a jurisdiction for a new holding company under sanctions pressure, I look at:

• sanctions policy and international obligations
  Participation in EU, US, UK sanctions regimes, historical enforcement practice, tendency towards extraterritorial effect.
• stability of the legal system and protection of property rights
  Including access to international arbitration, predictability of the courts, availability of investment protection agreements (BITs).
• tax regime and double taxation treaties
  It’s important not only the nominal tax burden but also the real ability to apply DTTs without a risk of accusations of treaty shopping.
• substance and real presence requirements
  The role of business purpose (substance): presence of an office, resident directors, employees, head‑office functions in an international holding.
• banks’ and regulators’ approach to sanctions risks
  The level of “over‑compliance”, banks’ tendency to proactively refuse service, practice of UBO disclosure and sanctions screening.

Diversifying Jurisdictions and Neutral Hubs

COREDO’s experience confirms that, under sanctions, diversifying jurisdictions for holding and operating companies often yields better results than relying on a single holding center.

• One or two key holding jurisdictions for asset ownership (EU and/or Asia);
• Regional sub-holdings (Europe, Asia, sometimes the Middle East) to separate sanctions and operational risks;
• Choosing jurisdictions perceived by the market as maximally “neutral” and predictable in terms of sanctions, while having a functioning banking system and access to international payments.

Important: de-offshorization and sanctions are closely linked. Structures built solely on offshore companies without real substance appear vulnerable on the sanctions agenda — both to regulators and to banks.

Banks, cross-border payments and sanctions

Even a perfectly structured corporate structure stops working if bank compliance views the group as a sanctions risk.

• banks refusing to provide services and account closures;
• payment rejections due to sanctions screening of the counterparty or beneficiary;
• sanctions and closure of correspondent accounts, which make settlements in certain currencies impossible;
• increased levels of «over‑compliance»: banks sometimes block transactions that do not formally violate the sanctions regime but appear risky to them.

Relations with banks

Our experience at COREDO has shown: when working with international banks under sanctions, the groups that succeed are those that:

• formalize a sanctions compliance policy and can show the bank not only declarations but also procedures that actually work;
• conduct sanctions screening of counterparties and UBOs, retaining records and logs of checks;
• have a ready legal opinion on sanctions law for complex transactions and can promptly provide it to the bank.

When a bank refuses payment because of sanctions risk, three types of arguments work best:

1. A complete package of KYC/AML documents for the counterparty and beneficiaries.
2. A detailed description of the transaction chain and a documented business purpose (economic substance).
3. A legally vetted opinion (legal opinion) on the operation’s compliance with the sanctions regimes of the EU/US/UK.

Alternative payment solutions and cash management

Given restrictions on cross-border loans, traditional lending and cash‑pooling, we increasingly use:

• diversification of banking infrastructure across regions and currencies;
• alternative settlement centers and clearing systems where permissible and not violating the sanctions regime;
• rethinking intra-group financing: intercompany loans, guarantees, cash‑pooling taking into account thin capitalisation and sanctions restrictions.

Redomiciliation, M&A and sanctions due diligence

Sanctions pressure is increasingly a trigger for:

• re-registration of business in a new jurisdiction;
• redomiciliation of holding companies;
• M&A transactions aimed at selling sanctions-sensitive assets or spinning them off into separate structures.

How to redomiciliate a holding company

A typical redomiciliation project that we handle includes:

1. Assessment of tax risks when relocating the holding
   Exit taxes (exit tax), potential triggers of CFC regimes, impact on the applicability of double taxation treaties.
2. Sanctions analysis of the new jurisdiction
   How involved it is in the sanctions regimes of the EU, the US and the UK, enforcement practice, banks’ readiness to work with the group’s profile.
3. Documenting the business purpose (substance)
   Why the group is relocating: political risk, sanctions risk, the need to protect assets — all of this should be properly documented to avoid allegations of abuse of regimes and treaty shopping.
4. Changes to corporate governance and documents
   Articles of association, shareholder agreements, policies & procedures on sanctions compliance and working with high‑risk counterparties.

Sanctions due diligence in M&A transactions

In M&A transactions, the sanctions factor has become a separate block of Due Diligence:

• beneficiary checks, directors and key counterparties of the transaction target;
• assessment of deal‑breaker sanctions factors that prevent banks from financing the transaction or servicing the group after the deal;
• analysis of sanctions clauses (representations & warranties, indemnities, limitation of liability) in the SPA;
• setting up escrow mechanisms and carve‑out schemes for sanctions‑sensitive assets.

The COREDO team supports such transactions not only at the legal level but also in terms of AML and sanctions compliance, which is important when engaging banks or investment funds.

Internal sanctions compliance in a corporation

True resilience to sanctions is achieved not by schemes, but by a system.

Components of a working sanctions system

In successful projects implemented by the COREDO team, there are recurring elements:

• group sanctions policy
  A formalized document understandable to the board of directors, top management and operational teams.
• KYC procedures/AML and sanctions screening of counterparties and UBO
  Regulation: whom, how and to what depth we verify, how we document the results, how we make decisions on high‑risk clients and partners.
• sanctions risk‑based approach
  A risk map by jurisdictions, transaction types, counterparties, business units; a defined risk appetite and the board of directors’ sanctions tolerance.
• internal controls and control points
  Who and at what stage of the transaction is responsible for the sanctions function: legal, finance, compliance, business units.
• training & awareness
  Training key employees: how to identify sanctions risks, when to involve lawyers, how to communicate with banks when payments are blocked.

Personal and corporate responsibility

Under sanctions the director’s responsibility and top management have become personal: sanctions violations can lead not only to fines for the company, but also to personal restrictions.

How to approach changes in a holding company

If to summarize COREDO’s project experience, the practical roadmap for an international holding under sanctions restrictions and the tightening regimes of the EU, US and the UK looks like this:

1. Diagnosis
   • a complete map of the corporate structure and ownership chains;
   • sanctions screening of beneficiaries, directors, key counterparties and banks;
   • modeling sanctions scenarios.
2. Strategic decision
   • whether targeted fine‑tuning or deep restructuring is needed;
   • selection of jurisdictions for holding companies and regional sub‑holdings;
   • designing the target corporate architecture with regard to sanctions resilience and tax planning.
3. Legal and tax implementation
   • redomiciliation, reregistration, spin‑off, corporate restructuring;
   • updating corporate agreements, governance, policies & procedures;
   • setting up intragroup financing taking into account sanctions and banking restrictions.
4. Banking and payment infrastructure
   • setting up relationships with banks, preparing KYC/sanctions packages;
   • diversification of banks, currencies and settlement channels;
   • creating internal protocols to respond to freezes and rejections.
5. Integration of sanctions compliance into management
   • implementation of a risk‑based approach;
   • training of management and key employees;
   • regular monitoring of changes in sanctions legislation and updating policies.

When an entrepreneur asks me which is faster: to set up a new entity or to buy a ready-made financial company in the EU, I always answer the same: the speed of the deal means nothing without quality Due Diligence. This is where those who treat the review not as a formality but as an investment in their future business win.

And conversely: where the COREDO team conducted a comprehensive company review, the client entered the deal knowingly, with a clear understanding of the risks, a fair price and workable guarantees from the seller.

Due Diligence when purchasing a financial company in the EU

Ready-made financial companies in Europe are not just a “shell with a license”. They are:

• existing obligations to regulators and tax authorities;
• transaction history, clients and counterparties;
• executed contracts and legal risks;
• internal control systems and AML procedures;
• reputation in the market and with supervisory authorities.

When acquiring a company in Europe you buy all of this at once, along with the potential problems of the previous owner.

That is why I view financial due diligence, legal due diligence and tax due diligence not as three separate services, but as a single comprehensive review of the company in which the components are closely connected.

Express analysis or full due diligence: how to choose?

At COREDO we conventionally divide checks into two levels:

Express due diligence analysis

I use the express format when:

• the client needs to quickly assess the feasibility of the transaction;
• there are several targets for purchasing a ready company in the EU and a preliminary ranking is required;
• the budget at the first stage is limited, but it is necessary to weed out clearly problematic options.

As a rule, express due diligence analysis includes:

• basic review of corporate documents;
• initial check for ongoing litigation and public sanctions;
• review of licenses and permits;
• overview of key financial statements and indicators;
• initial assessment of the company’s legal cleanliness and obvious tax risks when buying the company.

When due diligence is unavoidable

I consider full due diligence mandatory if:

• the target is a licensed financial company (payment institution, electronic money institution, investment firm, crypto company CASP/VASP, etc.);
• the buyer intends to use the company as a strategic asset — developing it, scaling it, attracting investors;
• the deal size is significant, and an error would be critical for the business.

In a full due diligence we include:

• detailed financial due diligence;
• in-depth legal due diligence;
• a separate tax analysis block;
• review of the internal control system, AML/KYC procedures, governance;
• assessment of market position and business model.

Structure of due diligence for a financial company

When the COREDO team gets involved in a project to review a ready-made company in the EU, I look at it across several key areas.

Legal due diligence: verifying the transaction’s integrity

What’s included:

• Review of corporate documents
  • charter, articles of association, resolutions and minutes of governing bodies;
  • ownership and control structure, beneficiaries;
  • existence of restrictions or encumbrances on shares/stakes;
  • history of changes in members/shareholders and directors.
• Analysis of the company’s contracts and liabilities
  • agreements with key clients and counterparties;
  • agreements with IT infrastructure providers, PSPs, banks;
  • leases, outsourcing, white label, agency agreements;
  • pledges, guarantees, sureties.
• Review of the company’s history and litigation
  • current and past legal disputes;
  • administrative cases, regulatory fines;
  • investigations in AML/sanctions, claims by supervisory authorities.
• Intellectual property and IT assets
  • rights to software, domains, trademarks;
  • license agreements;
  • confidentiality and trade secret regime.

The result of this section: an understanding of to what extent the company’s legal soundness meets the buyer’s expectations and what set of warranties and representations from the seller will be required in the SPA.

Financial due diligence: numbers and debts

Main elements:

• Review of the company’s financial condition
  • analysis of financial statements for 2–3 years;
  • revenue, gross and operating profit;
  • expense structure and margins.
• Assessment of working capital
  • level and composition of accounts receivable and payable;
  • policy for provisioning doubtful debts;
  • presence of problematic or “stalled” positions.
• Net debt and debt burden
  • loans, borrowings, financial leasing;
  • intragroup obligations;
  • structure and cost of debt capital.
• Adequacy of reserves when acquiring a company
  • reserves for legal disputes;
  • reserves for disputed taxes;
  • assessment of potential “off‑balance” risks.
• Analysis of the actual operational activity
  • consistency of turnover with the business model;
  • relationship between actual cash flows and those reported in the financial statements;
  • check for “inflated” turnover or artificial profit before sale.

The task of this stage is to give the buyer an honest answer: how sustainable the current financial picture is and whether there are any “time bombs” in the form of concealed liabilities.

Tax due diligence: main risks

Tax risks when acquiring a company in the EU are often underestimated, especially when it comes to cross-border structures involving multiple jurisdictions.

In the tax section we include:

• analysis of tax returns and calculations for main taxes over several years;
• reconciliation of the tax base and financial statements;
• checks of correct application of exemptions and special regimes;
• assessment of cross-border transfer pricing schemes and intra-group services;
• identification of potential unrecognized tax liabilities.

In practice, three instruments are used:

• adjustment of the deal financing structure (debt/equity, earn‑out, deferred payments);
• tax-optimized structuring of ownership (holdings, jurisdictions in the EU and third countries);
• inclusion in the SPA of specific tax warranties and representations by the seller and compensation mechanisms.

AML and internal control in financial companies

The COREDO team regularly provides AML consulting and support to financial institutions, so in such transactions we always check:

• existing AML policies/CFT, KYC, sanctions control;
• risk‑based approach procedures, client categorization;
• work of the compliance officer and the internal audit function;
• quality of client files and completeness of KYC documentation;
• existence and content of reporting to regulators;
• cases of blocks, refusals to provide services, regulator inquiries.

This section allows us to assess:

• how compliant the company is with regulatory requirements;
• whether there is a risk of sanctions or license revocation;
• how easily the company can be integrated into your existing compliance system.

personnel management in the organization

I always pay attention to:

• management structure and allocation of functions;
• key employees: directors, MLRO/AML officer, heads of departments;
• motivation system and the risk of critical personnel leaving after the deal;
• presence of internal regulations and KPIs.

Market position and business model

For financial companies in Europe, especially with EMI/PI or CASP/VASP licenses, I always look at:

• assessment of the target company’s market position;
• structure of the client base;
• dependence on individual providers or partners;
• sustainability of the business model and its scalability.

Two-stage process: data collection and negotiations

Stage 1. Initial collection and rapid analysis

At this stage I:

• compile the list of documents to be analyzed;
• organize access to the data room (electronic document archive);
• conduct an initial screening for red flags: litigation, sanctions, regulatory risks, major tax inconsistencies.

• either walk away from the deal;
• or radically revise its structure and price.

In-depth analysis and conclusions

After the initial filter, the COREDO team proceeds to detailed examination:

• all material contracts;
• financial metrics and calculations;
• internal procedures and control systems.

The result is a due diligence report:

• a detailed opinion for each section;
• a list of identified risks and their likelihoods;
• an assessment of investment risks and possible consequences;
• recommendations for minimizing the impact of risks and mitigating them.

How to use due diligence to your advantage

Revising the price and terms of the deal

• adjust the transaction price and guarantees;
• request additional guarantees and seller’s representations;
• require withholding part of the payment in escrow until certain risks are remedied;
• initiate a review of payment terms based on the DD findings (deferment, earn‑out, partial buy‑out).

Structure of deal financing

Based on the review:

• the financing structure of the deal changes (balance of equity and debt);
• covenant terms for banks and investors are determined;
• a tax‑efficient ownership structure is formed.

Enter the deal or walk away

Due diligence for financial companies in the EU

Unlike classic M&A in the real sector, due diligence of financial companies in the EU has its own specifics:

• mandatory verification of licenses and compliance with regulator requirements;
• analysis of interactions with correspondent banks and payment providers;
• review of the history of regulatory inspections and any enforcement orders;
• assessment of reputation in the market and in the professional community.

The COREDO team regularly supports clients in obtaining financial licenses in EU countries, the United Kingdom, Singapore, and also supports transactions for the sale of companies. This experience helps us see which requirements are particularly sensitive for specific jurisdictions and segments (EMI/PI, investment firms, crypto companies).

How to prepare for due diligence

Based on my experience, I will outline a few recommendations that help entrepreneurs and chief financial officers navigate the acquisition of an established company in the EU in an informed manner:

1. Engage experts early. The ideal time is before signing the LOI or at its stage, with clear provisions preserving the right to withdraw from the deal based on the results of the due diligence.
2. Decide on the format: express or full. For initial target screening an express analysis is sufficient; for the final selection and price negotiations, only a full due diligence.
3. Discuss access to data with the seller right away. A transparent, well-structured data room is a good indicator of the seller’s good faith.
4. Focus on critical risk areas. For financial companies these include: licenses, AML/KYC, taxes, litigation, debt burden, client structure.
5. Use the findings of due diligence in negotiations. A quality report is an argument, not just a box-ticking exercise.
6. Plan integration in advance. Based on the review results, you should immediately develop a plan: changes to governance, updating policies, revising contracts, strengthening compliance.

How COREDO helps you navigate the process

Since 2016 COREDO has supported international business in company formation, licensing and legal Due Diligence in Europe, Asia and the CIS.

• understands the specifics of financial licenses and regulatory requirements;
• combines legal, financial and tax due diligence within a single team;
• is able to integrate the review with the subsequent deal structure and post-sale support.

In a typical due diligence project for a financial company in the EU the COREDO team:

• analyzes the legal status and corporate structure;
• conducts a financial review of the company and its financial statements;
• assesses the tax risks of the transaction target and options for their mitigation;
• checks the internal control system of the target company and its AML procedures;
• prepares a clear report for owners and investors, prioritizing risks;
• helps use the findings in negotiations and in the contract structure.

When a manager sees not only a list of risks, but also a clear plan for how to mitigate them, how to structure financing and which seller guarantees to request: the deal stops being a lottery and becomes a manageable process.

Over the years of COREDO‘s work with international banks in Europe and Asia I have seen that the key mistake businesses make is to treat a refusal as the final point. In fact, it is a signal: your profile in the bank’s eyes and your internal compliance system do not match its risk appetite. That means this can and should be managed.

In this article I will explain how to:

• interpret a bank’s refusal to open a company’s current account and a subsequent refusal by the bank to service the business;
• prepare for initial and repeat onboarding at the bank;
• reduce the risks of a company’s account being blocked in the long term;
• build systematic AML support for companies and an internal compliance that banks perceive as an asset rather than a problem.

Reasons a bank might refuse a loan

The phrase “refusal without explanation” protects the bank from disputes and from revealing risk-management methodologies. But there are almost always reasons. In COREDO’s practice, five blocks are most common.

Jurisdictional and industry risks

The bank assesses:

• the country of company registration;
• the country of tax residency of the beneficiaries;
• the countries of counterparties and the geography of payments;
• the industry (fintech, crypto, gambling, forex, PSP, cross-border e-commerce, etc.).

In one COREDO case we structured a group where the holding was located in a neutral European jurisdiction, the operating companies were in Asia, and the clients were worldwide. Without explaining the logic of the structure and documenting the economic rationale of the operations for the bank, it looked like a set of “shell” companies. After preparing a detailed diagram of business processes, substance and tax logic, the bank not only approved the account but also expanded the limits after several months of operation.

Ownership and beneficiary structure

The bank considers important:

• whether there is a clear ultimate beneficial owner (UBO);
• whether there is an excessive number of ownership layers;
• whether trusts, foundations, or nominee structures are present;
• whether there are PEP / sanction risks, negative news.

In such cases the COREDO team often adjusts the ownership structure for bank onboarding: we simplify levels, bring the UBO “into the light”, and document connections and sources of funds.

Business model and transactional profile

A bank’s scoring of a corporate client today relies not only on the industry but also on the expected transactional pattern:

• payment volumes and frequency;
• share of cross-border transfers;
• currencies;
• types of counterparties and jurisdictions.

In COREDO’s practice there was a client: a payment intermediary with a history of high chargebacks and disputed transactions at the previous PSP. We conducted a legal audit of the company before submitting the bank application, rebuilt the contractual base with merchants, implemented an anti-fraud policy and prepared an evidence base to justify the legality of revenues. After that, reopening an account after a compliance refusal became possible at another European bank.

Client history and external signals

Banks widely use:

• negative news screening and reputational risk;
• public registers, court cases, media;
• internal and external watchlists/blacklists.

We encountered the case “client on another bank’s blacklist: what to do”: we collected documents explaining the past case (an erroneous alert on a transaction, incorrect interpretation of a counterparty), and prepared a separate memorandum for the new bank, minimizing the risk of inclusion in the bank’s internal blacklist already at the application stage.

Bank risk appetite and scorecard

Even a legally perfect structure may not pass a bank’s internal scorecard for assessing corporate clients.

What to do in case of a bank refusal?

If a bank refusal occurs without explanation, the company has three key tasks:

1. record the consequences (and not worsen the situation);
2. understand what exactly triggered it;
3. set up a repeat onboarding after the bank refusal – either with the same bank or with another bank.

Maintaining control of the situation

Practical minimum:

• do not argue emotionally with the bank and do not ‘press’ for disclosure of reasons;
• request a written notice of refusal/account closure (if the bank issues one);
• clarify the account closure timeframe and the procedure for withdrawing funds;
• record in your system the date and circumstances of the refusal – this will be useful when analyzing the bank refusal and preparing for repeat onboarding.

Internal due diligence of the company

Before applying to a new bank, it is important to:

• conduct a legal audit of the company before submitting the application to the bank;
• assess how your company appears through the lens of AML/KYC:
  • beneficiaries;
  • contractual framework;
  • counterparty policy;
  • source of funds / source of wealth;
  • transaction and blocking history.

The COREDO team often models a bank’s risk assessment of a client: we apply an approach similar to the bank’s logic, analyzing jurisdiction, industry, reputation, media screening, structure, and transactions. This allows us to see in advance which alerts will be triggered in a bank’s scoring of a corporate client.

How to create a transparent picture of the business

Internal package to prepare before contacting the bank:

• corporate documents;
• ownership structure with a visual diagram;
• description of the business model and the value chain;
• key contracts;
• policy for working with counterparties;
• financial statements.

Strategy for repeat onboarding

After the internal audit, the question arises: where exactly to undergo secondary onboarding after a bank refusal. Options:

• the same bank (if the refusal is related to missing documents or incomplete disclosure of information);
• another bank in the same jurisdiction;
• a bank in another country, with a different risk appetite;
• a combination of a traditional bank and EMI/fintech solutions (as part of a ‘multibanking’ strategy).

How to prepare for onboarding at a foreign bank

Onboarding of corporate clients in Europe and Asia today is not just filling out a form. It is a comprehensive check of KYC/KYB, transactional logic, substance and reputation.

Documents for bank onboarding

Standard package:

• incorporation documents;
• register of shareholders / UBO;
• documents of directors and beneficial owners (ID, proof of address);
• description of activities and business plan;
• key contracts;
• financial statements and tax filings (if there is a history).

For companies with elevated risk: additionally:

• confirmation of economic substance (office, employees, real operations);
• company policy & procedures on AML/KYC;
• internal policies on counterparties and transactions;
• description of transaction monitoring systems / transaction monitoring within the company.

The COREDO team regularly prepares KYC packages for clients for foreign banks: from corporate document templates to business description phrasing that is clear to a compliance officer.

KYC for legal entities and KYB

In KYC for legal entities and KYB procedures the bank checks:

• who the ultimate beneficial owners and controlling persons are;
• whether there are nominee shareholders without a real economic role;
• whether the stated activity corresponds to the contract base;
• whether there is confirmation of source of funds / source of wealth.

Therefore one of the key areas of COREDO’s AML consulting is the adjustment of contracts and business processes to AML requirements/KYC, so that the business appears to the bank exactly as it operates in reality.

How to prepare for digital onboarding

With the growth of digital onboarding / remote onboarding, banks’ requirements for the quality of data and documents have tightened. Automated systems:

• analyze documents for forgeries;
• cross-check data with external registries;
• immediately run screening against sanctions lists and PEPs;
• apply pre-configured risk scoring models based on transaction patterns.

To reduce the risk of rejection during remote onboarding, at COREDO we:

• prepare documents in advance in formats that are easily read by systems;
• fill out questionnaires so they are consistent with each other and with corporate documents;
• prepare the client for possible re-identification by the bank, video interviews and follow-up questions.

Bank’s refusal to serve a company

Bank refusal to serve an operating company and the subsequent offboarding of the client (bank delisting) is one of the most painful scenarios.

Reasons for blocks and offboarding

Typical triggers:

• a sharp increase in turnover without prior notice;
• a change in the geography of payments (for example, a mass entry into new markets);
• an increase in the share of cross-border payments;
• transactions atypical for the previously observed profile.

How to communicate with the bank after a refusal

If a refusal has nevertheless occurred, at COREDO we almost always recommend that the client develop a communication strategy with the bank after the refusal:

• record exactly which questions compliance raised;
• prepare a structured package of responses and documents;
• if possible, request a formal reconsideration (if there are grounds).

How to reduce the risk of compliance rejections

Mature businesses today perceive banking compliance support services not as «additional expenses», but as an investment in access to the financial infrastructure.

Which internal policies do banks need?

From COREDO’s practice, the minimum looks like this:

• AML policy and procedures (KYC/KYB, handling high-risk counterparties, sanctions lists);
• transaction monitoring policy;
• procedure for responding to requests from banks and regulators;
• a documented policy on sources of funds and confirmations of beneficiaries’ incomes;
• a retention policy for documents and the evidentiary record.

How to manage a bank’s reputational risk

Banks pay special attention to:

• beneficial owners’ public profile;
• media mentions;
• litigation and regulatory cases.

Multibanking strategy and choice of jurisdictions

One of the most practical takeaways we advise our clients is: don’t build your business relying on a single bank. Especially when it comes to an international group of companies.

Why do businesses need multibanking?

How to choose banks in Europe and Asia

Our experience at COREDO has shown that for companies from the CIS operating in the EU and Asia, it’s important to consider:

• real economic substance in the chosen country;
• transparency of the tax model;
• the presence of a direct and clear beneficial owner;
• the bank’s sector policy.

How to minimize rejections during COREDO onboarding

I’ll outline, in practical terms, how the COREDO team typically gets involved in projects where there is already a refusal to open a corporate bank account or a risk of delisting.

Site audit and strategy

1. Legal and compliance audit: structure, contracts, beneficiaries, transactions.
2. Modeling bank scoring for a corporate client across different jurisdictions and types of banks.
3. Developing a strategy:
   • we adapt the business model and structure to the requirements of target banks (restructuring the business model to meet the bank’s requirements);
   • or we choose financial institutions whose risk appetite better matches the company’s current profile.

KYC dossier and onboarding: preparation

The COREDO team has carried out dozens of projects where the key to success was the careful preparation of the KYC package for a foreign bank:

• we prepare a package of documents and business descriptions;
• we work out responses to standard and complex questions from compliance officers;
• we prepare a guide for an in-depth compliance interview with the bank;
• we manage communications until a decision is reached.

AML support for companies

A separate area: support after account opening:

• assistance in responding to regular queries about transactions and counterparties;
• documenting changes (change of beneficiaries, changes to the structure, expansion of payment geography);
• preparing for limit increases or the addition of new products.

To summarize my experience since 2016, resilience to bank rejections is not about “finding the one right bank”, but about building your business, structure and processes so that banks see you as a predictable, manageable and understandable partner.

To summarize my experience as the founder of COREDO, most questions and problems for international businesses today arise not from company registration or even from obtaining a license, but from how to move forward in a world of continuous transaction monitoring and strict AML compliance requirements.

An entrepreneur sees one thing: “the payment was delayed again”, “the bank requested a package of documents”, “the client’s wallet is blocked pending investigation”.
But here’s what’s happening behind the scenes: a complex AML transaction monitoring system, hundreds of AML rules, dozens of AML scenarios, thousands of AML alerts daily and a constant struggle between risk and customer experience.

1. which typical suspicious transaction monitoring scenarios most often trigger alerts;
2. how these scenarios look from the perspective of a bank/fintech/licensed company;
3. what an owner or chief financial officer can do to reduce the number of unnecessary alerts without exposing the business to regulatory risk.

I base this on COREDO’s real-world practice: company registration in the EU and Asia, obtaining financial licenses, setting up AML functions and supporting clients in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore, Dubai and other jurisdictions.

Why a payment ends up in AML monitoring

Any bank, fintech, payment institution, crypto exchange or virtual asset service provider is required to have a functioning anti-money laundering monitoring system. This is not “desirable”, but a direct requirement of regulators in the EU, the United Kingdom, Singapore, the UAE, and many countries in Asia and the CIS.

Inside such a system there are always three layers:

• KYC and transaction monitoring
  Customer profile, customer risk rating, customer behavior profile, expected turnover and expected transaction pattern. It is precisely through the combination KYC + transaction monitoring that the system determines whether this transaction is normal for a specific customer.
• Rule-based / scenario-based transaction monitoring
  A set of aml scenarios and aml rules that catch unusual transaction patterns, high-risk transactions, cross-border transactions with increased risk, operations with high-risk jurisdictions, PEPs and sanctions alerts, etc.
• Alert handling & investigations
  Generation of transaction monitoring alerts, their prioritization, investigation, escalation, and, if necessary, submission of a suspicious activity report (SAR) to the financial intelligence unit (FIU) and a full aml transaction monitoring audit trail.

Common scenarios that trigger AML alerts

Typical scenarios that most often trigger AML alerts are recurring patterns of client behavior and transactions that automated systems recognize as potentially suspicious operations. By breaking down scenarios such as structuring / smurfing and payment fragmentation, it is easier to understand why alerts fire on them more often and how the compliance team responds.

I am designed to:

• Synthesize information from search results
• Answer users’ informational questions
• Provide analytics based on factual data

• the client regularly makes many small payments,
• each of them just below formal AML transaction thresholds,
• in total over a short period this is a significant volume.

Systems see such smurfing / structuring alerts as:

• frequent operations for similar amounts;
• splitting a single logical payment into a chain of small ones;
• fragmentation between related accounts or related-party transactions.

Key to reducing false positives:
clearly document transaction profiling, the business rationale for structuring, and agree this with the bank/provider.

Rapid turnover of funds in the account

Rapid movement of funds alerts occur when money:

• arrives and leaves almost immediately;
• moves quickly through several accounts;
• pass through complex chains (back-to-back, round-tripping funds, mirror transactions).

Common triggers:

• intra-group transactions monitoring between related companies;
• rapid turnover through corporate accounts with a small balance;
• a sudden increase in turnover without a clear explanation.

What helps:

• a documented customer behavior profile and a description of business cycles;
• transparent contracts, invoices, and supply chain payment risk logic;
• pre-configuring scenarios for the client type: trade, fintech, payment provider, etc.

Unusual geography and high-risk jurisdictions

One of the most frequent questions from clients:
“Why does a payment to a new country immediately trigger an alert?”

The system monitors:

• the sender’s and recipient’s countries;
• correspondent banks (correspondent banking risk, nested relationships risk);
• links to sanctioned or offshore jurisdictions;
• sharp changes in geography (yesterday – only the EU, today – payments to several high-risk jurisdictions simultaneously).

The right strategy:

• adapt AML scenarios in advance taking into account regional typologies Europe / Asia / Africa;
• conduct an AML risk assessment for new directions;
• update the customer risk rating taking into account new countries and products.

Dormant account reactivation: sudden reactivation

Dormant account reactivation alerts: one of the most underestimated yet dangerous scenarios:

• the account was unused for a long time;
• then large or numerous transactions occur in a short period;
• especially if the nature of the transactions or the geography changes.

This can be inconvenient for the business: the company “unfroze” one of its old accounts in Europe, started new operations – and received a series of AML alerts and requests for documents.

• pre-notification of the planned account reactivation;
• description of the new expected transaction pattern;
• if necessary – updating KYC and enhanced Due Diligence (EDD).

Large transactions and high risks

Large value transaction alerts trigger when value-based thresholds are exceeded, often in combination with:

• non-standard counterparties;
• high-risk industries (gaming, gambling, certain MCCs, cash-intensive businesses);
• an unusual currency or jurisdiction;
• an unusual frequency of large transactions.

For a corporate client it is critical here:

• describe limits and typical amounts in advance;
• provide transparent documents for key contracts;
• monitor so that one-off large transactions nseemed like an inexplicable “bulging” of the turn.

Crypto and virtual assets in banking

A topic that has come up more frequently in COREDO’s practice in recent years – cryptocurrency transaction monitoring, virtual asset service provider aml monitoring and on-ramp / off-ramp transaction monitoring.

Triggers:

• regular transfers to crypto exchanges and back;
• fiat payments to unknown VASPs;
• transactions involving stablecoins and DeFi monitoring through custodial wallets;
• transfers related to high-risk exchanges or anonymizing services.

• virtual assets and crypto exchanges risk;
• source of funds and beneficial ownership transparency;
• risks of layering and the integration stage of money laundering through crypto instruments.

• specialized scenarios for crypto-related transaction monitoring;
• device and channel analysis in AML (web, mobile, API);
• integration with blockchain data providers and high-risk address lists.

Customer behavior in AML alerts

With modern regulatory expectations, a single simple set of rules «if amount > X, generate an alert» is no longer enough. The following come into play:

• customer behavior monitoring AML;
• transaction frequency analysis and velocity checks in transaction monitoring;
• behavioral analytics in transaction monitoring and anomaly detection in AML monitoring.

The system looks not only at absolute amounts, but also at:

• deviations from the customer behavior profile;
• out-of-pattern transactions;
• seasonality and cyclicality of transactions;
• correlation with new products or markets.

How the AML transaction monitoring system works

An entrepreneur needs to understand not only the scenarios themselves but also how the system operates as a whole.

Rule-based or machine learning?

In COREDO’s real projects for implementing and configuring systems for banks, fintechs and payment institutions, a hybrid model is most often used:

• rule-based transaction monitoring
  Classic rules and scenarios: thresholds, country lists, structuring patterns, specific trade-based money laundering red flags, invoice fraud transaction patterns, mule account detection scenarios, scam-driven transfer detection.
• machine learning in transaction monitoring
  Anomaly detection algorithms, supervised vs unsupervised AML models, behavioral analytics, recommendations for alert prioritization and reduction of false positives.

• how AML model risk management is implemented;
• whether there are procedures for AML model validation for transaction monitoring;
• what audit trail and AML documentation exist;
• how data quality issues in transaction monitoring are addressed.

Calibration and threshold testing

The second critical area is AML transaction monitoring calibration:

• AML alert thresholds optimization;
• tuning suspicious transaction monitoring scenarios;
• above the line / below the line testing AML;
• AML scenario effectiveness testing.

• thresholds and scenario parameters do not match a real risk-based approach;
• there is no regular scenario library management and scenario coverage assessment;
• there is no functioning AML continuous learning feedback loop from analysts to rule owners.

Governance, KPIs and working with the business

A working AML transaction monitoring function is not only about technology and scenarios, but also about proper governance:

• AML alerts governance framework;
• the three lines of defence model in AML;
• governance of the financial crime function and financial crime committees;
• regular internal audits of transaction monitoring and independent validation of AML systems;
• regulatory inspections and reviews, preparation for inspections and addressing findings.

For the board and senior management, the following are important:

• key risk indicators (KRI) for AML;
• management information (MI) for AML;
• service level agreements (SLA) for alert handling;
• team workload and resource planning for AML teams;
• AML transaction monitoring ROI and cost of compliance vs cost of non-compliance.

What entrepreneurs and CFOs can do now

I’ll list practical steps that significantly reduce the “pain” of AML monitoring for operating businesses and are almost mandatory when launching new projects in Europe and Asia.

How to map your business model to AML

For a bank, your business is a set of risks, not just revenue. The task is to help the compliance team understand you.
I recommend preparing:

• a description of the business model with a focus on payment flows;
• customer segments, customer risk rating by groups;
• typical volumes, currencies, geography, expected transaction pattern;
• a list of high-risk industries if you work with them (gaming, gambling, cash-intensive, high-risk MCCs);
• group structure, ultimate beneficial owner (UBO) screening, complexity of corporate structure and use of virtual office / co-working addresses.

Transparency of banks and providers

Even large international banks often hide the logic of scenarios behind the formulation “required by the regulator”.

• discuss transaction monitoring common red flags and typical scenarios that trigger for your business;
• ask for examples of frequent AML alert scenarios in transaction monitoring for your type of business;
• clarify how the bank uses name screening vs transaction screening, sanctions screening and transaction monitoring, adverse media screening and PEP checks.

Invest in an internal AML function

For licensed companies (payment institutions, EMI, forex, crypto platforms, neobanks) this is a mandatory requirement of regulators in Europe and Asia.

• an in-house department + external COREDO support for complex issues;
• partial outsourcing of AML monitoring, where an internal compliance officer manages the provider;
• managed services for transaction monitoring, if the business is not ready to build a large team.

Data and IT landscape quality

Even the most expensive AML platform is powerless if:

• data sources are not synchronized;
• there are gaps in KYC, UBO, geodata, IP, device;
• there is no control over data quality issues in transaction monitoring.

• analysis of data ingestion and data mapping;
• checking data quality controls and completeness checks;
• the need for data enrichment (IP, device, geo), device fingerprinting in fintech, IP address risk indicators, geolocation risk scoring.

How to choose a jurisdiction and a license

choosing a jurisdiction for a holding or a financial license directly affects which AML transaction monitoring regulatory expectations you will have to meet.

• the EU (including the Czech Republic, Slovakia, Cyprus, Estonia, Latvia, Lithuania, Poland, the United Kingdom, etc.);
• Singapore, some Asian and Middle Eastern jurisdictions;
• CIS countries.

• local typologies from regulators and industry bodies;
• expectations for transaction monitoring in cross-border payments;
• requirements for governance of the financial crime function and the resource intensity of the AML function;
• scalability prospects: AML monitoring for multi-jurisdictional business, synchronization of rules across different countries.

How does COREDO help in practice?

• support for the launch of fintech projects and payment institutions in the EU;
• registration and support of crypto platforms and VASP;
• configuration of AML monitoring for neobanks, including real-time transaction monitoring alerts;
• optimization of existing monitoring systems for international holdings operating in Europe and Asia.

The approach is always the same:

1. We understand the business model and the real risk exposure.
2. We build the architecture of the AML/CTF function and a risk-based approach.
3. We help select and implement a technological solution (including cloud-based AML platforms, API-based integration with core banking, data lakes for AML analytics).
4. We configure scenario design, threshold setting, above/below the line testing.
5. We build governance, MI/KRI, escalation processes and interactions with the regulator.
6. We stay close as a long-term partner: we update scenarios, support during audits, and help adapt to new markets and products.

When I launched COREDO in 2016, the main task was not simply to register companies abroad, but to build stable structures for clients that could withstand any tightening of regulation, updates to the FATF lists and revisions of banking policies. Over the years it has become clear: the FATF grey list is not an abstract “country risk”, but a factor that directly affects business bank accounts abroad, access to financing and even strategy for entering new markets.

FATF grey list: what it is and what it means for businesses

• high‑risk jurisdictions subject to a call for action, a de facto FATF black list (maximum restrictions, effective financial isolation);
• jurisdictions under increased monitoring, FATF grey list — countries under increased monitoring that formally cooperate with the FATF but have not yet brought their AML/CTF regime up to the required level.

When a country enters the FATF grey list, it is not a ban on business, but:

• banks and financial institutions strengthen their risk‑based approach to clients connected with that jurisdiction;
• the likelihood of de‑risking increases: a targeted refusal to serve higher‑risk clients;
• greater scrutiny of correspondent accounts, which affects cross‑border payments and transaction times.

How FATF grey list status affects corporate accounts

Changes to banks’ compliance requirements

• increase the company’s risk profile;
• move servicing to the enhanced Due Diligence (EDD) category;
• increase the frequency of file reviews (rechecking beneficiaries, sources of funds, structure).

• opening a company’s account in a high-risk country takes longer, requires more documentation and often separate approval by the compliance committee;
• servicing non-residents in EU banks becomes noticeably more difficult – especially if the structure includes companies from jurisdictions under increased FATF monitoring;
• a properly functioning account can be temporarily blocked until additional evidence of the economic rationale of the transactions is provided.

Blocking and closure of bank accounts

• targeted blocking of transactions, the bank requests explanations for a specific payment related to a counterparty from a high-risk AML country;
• temporary blocking of the account until completion of an internal investigation or EDD;
• planned de-risking, the bank notifies of the closure of the corporate account due to an update in its policy on dealing with clients from «grey» jurisdictions or connected to them.

FATF grey list and black list: risks for businesses

Registration of companies in the EU and Asia

How this affects company registration in the EU, Asia and other regions: no longer a theoretical question but a practical factor that directly influences the choice of jurisdiction, ownership structure and access to banking services. The tightening of sanctions and AML controls is changing the rules: requirements for beneficiary transparency, source of funds and genuine business activity are becoming key when registering companies in the EU, Asia and other regions.

Company registration in the EU and banking risks

When we assist clients with registering legal entities in the EU — in the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom and other countries — one of the first topics discussed is the jurisdictional risk of beneficiaries and key counterparties.

• a bank in the EU may be relatively lenient toward a local company, but significantly stricter toward a group if the holding or part of the assets are located in a FATF grey list country;
• corporate accounts in countries on the FATF grey list often face difficulties with cross‑border payments to the EU due to correspondent‑bank level restrictions;
• company registration in Europe without a sound banking strategy is almost pointless: an account may open, but ongoing service will be unstable.

Asia and Africa: high-risk AML jurisdictions

• access to local banks;
• the ability to open accounts in the EU;
• the structure of cross‑border financing.

Consequences for banks of being placed on the FATF grey list

Immediate consequences for the organism

• review of limits and fees on existing accounts, increase in commissions, especially for international payments;
• increase in transaction processing times, especially to/from high‑risk AML countries;
• additional KYC/KYB requests for already serviced clients, document updates, confirmation of structure, disclosure of beneficiaries.

Medium-term consequences of de-risking and financial isolation

• reduce limits, restrict types of operations (for example, trade finance, complex cross‑border deals);
• refuse new clients linked to «grey» jurisdictions;
• initiate correspondent de‑risking: closing or restricting correspondent accounts with banks from those countries.

KYC and EDD for clients from grey jurisdictions

How banks strengthen KYC/EDD for clients from grey jurisdictions is primarily about moving to a stricter risk‑based approach: such clients are automatically assigned an elevated risk profile, and disclosure requirements become deeper and more detailed. As a result, the standard set of documents is no longer sufficient: banks expand the list of requests, enhance transaction monitoring and expect much greater transparency from clients regarding structure, beneficiaries and sources of funds.

What is most often required

• a detailed ownership structure listing all beneficial owners and controlling persons;
• confirmation of the source of funds and origin of capital (source of funds / source of wealth);
• documents for key counterparties, especially if they are from AML high‑risk jurisdictions;
• explanations of the business model and the economic rationale of transactions.

• board resolutions, corporate agreements, trust declarations;
• a legal opinion (legal opinion) on the AML risks of the structure;
• the company’s internal AML policies and procedures, including the appointment of an MLRO.

Requirements for beneficial ownership transparency

• banks’ near‑total rejection of complex, opaque structures lacking an obvious business purpose;
• a stricter approach to trusts, funds, and multi‑level SPV chains;
• attention to links with politically exposed persons (PEP).

Strategy for companies in countries on the FATF grey list

A strategy for groups with companies in countries on the FATF grey list requires more than one‑off measures “after the fact” — it needs a thoughtful approach to managing risks, reputation and access to international settlements. To avoid living in a constant “firefighting” mode, such groups need a systemic compliance strategy instead of a spontaneous reaction to ever‑new requests from banks and regulators.

Compliance strategy instead of reaction

• tracking updates to the FATF grey list and national lists of high‑risk countries;
• regular assessment of country and jurisdictional risk taking into account the group’s exposure;
• scenario analysis: what happens to banking relationships and financing if a specific client’s country/subsidiary is placed on the grey list.

When it makes sense to change jurisdiction

• if the cost of maintaining the entity (bank fees, compliance burden, transaction restrictions) grows faster than the economic rationale for staying in the current jurisdiction, relocation may have a positive ROI;
• if access to international financing and investors is critical (funds, SPV structures, investment projects), presence in grey jurisdictions seriously weakens the negotiating position;
• if the group targets EU banks and developed financial centres, maintaining a beneficial ownership link with a high‑risk country will continuously reduce banks’ risk appetite.

How to reduce the impact of the FATF grey list on business

I will gather in one place the practices that actually work for our clients.

Business structure and choice of jurisdictions

• Avoid concentrating key companies in FATF grey list countries, especially if you plan to work with EU banks or international financial institutions.
• Use holding companies and SPVs in low-AML-risk jurisdictions, keeping presence in ‘grey’ countries at the operational level and minimizing their role in the funding chain.
• When entering new markets (including Africa and parts of Asia), incorporate country risk into your model and include scenarios for changes in FATF status.

Internal AML/CTF system

• Implement formalized AML policies, KYC procedures/KYB and transaction monitoring: banks appreciate when a business “speaks the same language” as them.
• Appoint an AML/CTF officer (MLRO) and set up a regular training cycle for employees involved in international payments.
• Digitize processes – automated collection and updating of KYC documents, a log of counterparty checks, and sanctions risk monitoring.

How to work with banks and payment providers

• Don’t rely on a single banking partner: diversifying accounts across jurisdictions and types of institutions reduces the risk of sudden financial isolation.
• When choosing a bank, openly discuss the country and jurisdictional risk of your group; this will immediately reveal their appetite for clients with a presence on the FATF grey list.
• Consider alternative payment solutions, licensed fintech providers and payment institutions where correspondent banking is significantly limited.

How COREDO helps navigate high AML risk

• Registration of legal entities in the EU, Asia and the CIS taking into account AML risks and banks’ requirements, from choice of legal form to ownership structure.
• Obtaining financial licenses (crypto, forex, payment, other licenses in EU countries, the UK, Singapore, etc.) with a focus on AML compliance/CTF standards.
• AML consulting: development of an internal AML system/CTF, preparation for audits, support in interactions with banks and regulators.
• Comprehensive business support: Legal outsourcing, transaction support, preparation of Legal Opinion, structuring of holding and investment schemes.

If you see that:

• the country of registration of your company or a beneficiary is at risk of being placed on the FATF grey list;
• a bank has increased KYC/EDD requests or has notified of a review of the relationship;
• you are planning to register a company in the EU, Asia or another jurisdiction and want to take AML risks for international business into account already at the structuring stage,

When an entrepreneur today hears from a bank or regulator “please provide source of funds and source of wealth“, it’s no longer a formal checklist but a real filter: will your business be accepted into the international financial system, will you be able to open an account in Europe or Asia, will you close an M&A deal or raise investment.

As the founder of COREDO I see this every day: strong or weak handling of SOF/SOW directly affects deal speed, the risk of account freezes and, overall, whether your international project will operate sustainably or constantly ‘burn’ on compliance.

In this article I’ll cover:

• how source of funds differs from source of wealth in practice;
• how businesses can build AML compliance around SOF/SOW;
• which best practices we apply at COREDO when working in the EU, Singapore, Dubai, the Czech Republic, Slovakia, Cyprus, Estonia and other jurisdictions;
• real cases and typical mistakes that cause clients to lose time, deals and reputation.

Source of funds vs source of wealth: what’s the difference?

The definition is well known in theory, but problems arise in practice.

• Source of funds (SOF) is the specific money in a specific transaction.
  Where exactly the funds came from that you use to pay for a company, contribute capital to a European company, or transfer money to an investment platform.
• Source of wealth (SOW) is the history of the client’s wealth formation.
  How the beneficial owner (UBO) or an individual accumulated their wealth: through business, investments, inheritance, options, crypto assets, etc.

Banks, licensed financial companies, crypto providers, payment institutions, forex brokers, electronic money issuers are required within customer Due Diligence (CDD) and enhanced due diligence (EDD) to understand both SOF and SOW: especially in Europe and developed Asian jurisdictions.

In practice:

• for a single large transaction: emphasis on AML source of funds;
• when working with high-risk clients, UBOs, PEPs, large business owners: focus on AML source of wealth.

Why SOF and SOW Are Needed for Businesses and Regulators

Regulators in the EU, the United Kingdom, Singapore, Cyprus and other countries that the COREDO team works with view SOF/SOW through the lens of anti-money laundering / counter-terrorist financing (AML/CFT).

Objectives:

• prevent the use of the financial system for money laundering and terrorist financing;
• reduce sanctions risks and the risks of dealing with prohibited persons and entities;
• ensure tax and corporate transparency (CRS, FATCA, UBO registers).

For businesses this means:

• without a clear history of the origin of funds and origin of capital, delays, refusals to open accounts, blocks on high‑value transactions, difficulties with M&A and attracting investment;
• without established AML compliance for SOF/SOW, the risk of fines, reputational loss, de-risking (when banks and providers terminate relationships ‘just in case’).

SOF vs SOW: what’s the difference?

I answer simply: the regulator and the bank look not only at legality, but also at logic and proportionality.

• SOF – we demonstrate why these funds logically belong to you and why they are the ones involved in this transaction.
• SOW – we demonstrate why your level of wealth realistically corresponds to your business career and financial history.

The COREDO team often starts a project with financial due diligence of the beneficiaries:
analyzes the corporate structure, the beneficiaries, the economic rationale of transactions, tax history, public information, and the client companies’ financial statements.

Sources of Capital

Sources of origin of funds

Typical sources of a client’s funds:

• profit and turnover of an operating company (invoice‑based);
• dividends from business;
• sale of a stake (SPA/share purchase agreement);
• loan repayment (loan agreements);
• investment income (capital markets, funds);
• crypto income (after conversion to fiat through regulated providers);
• refinancing or lending (facility agreements, bank loans).

Documentary evidence of source of funds:

• contracts, invoices, acceptance certificates, specifications;
• bank statements confirming receipt;
• tax returns and company financial statements;
• deal documents (SPA, loan agreements, security documents).

Sources of Wealth (SOW)

Sources of the client’s wealth:

• long-term business profits;
• sale of a business/holding (exit, IPO);
• investment portfolio (stocks, bonds, funds, private equity);
• inheritance;
• employer stock options and shares (especially in IT and the digital sector);
• crypto-assets, early investments in projects, online business.

Documentary evidence of source of wealth:

• financial statements and audited company reports;
• share purchase agreements, valuation reports, closing documents;
• inheritance documents;
• reports from brokers and investment platforms;
• digital traces (work history in large IT companies, data about startups, public deals, media);
• socio-economic biography: career, positions, participation in governing bodies.

Risk-based approach: how deep the checks go

Regulation in the EU, the UK, Singapore and other countries requires a risk-based approach when vetting clients.
This means: the depth of customer due diligence and enhanced due diligence depends on:

• the client’s jurisdiction and that of its counterparties (high-risk jurisdictions);
• the industry (cash‑intensive business, gambling, crypto, financial services);
• the status (PEP, high-risk customers, UBO of a complex structure);
• the size and nature of transactions (high-value transactions, M&A, large tranches).

If the client:

• is the owner of a large holding company,
• has a multi-level structure,
• has cross-border transactions through several jurisdictions, they will almost certainly be subject to enhanced due diligence on source of wealth, not just on SOF.

Cases from COREDO practice

Source of funds when purchasing real estate in the EU

Task:
a corporate client is purchasing commercial real estate in an EU country. Price: high‑value transaction.

Problem:
the bank requested AML source of funds. The client provided only the purchase agreement and internal management reporting. The bank intensified its requests, and delays began.

Solution developed by COREDO:

• analyzed the company’s business model, its transaction flow vs economic origin of funds;
• structured the SOF/SOW documentation:
  • contracts with key buyers,
  • invoices,
  • bank statements for incoming payments,
  • tax filings,
  • a brief explanation of the economic logic (economic rationale of transactions);
• prepared an explanatory letter to the bank on behalf of the client, linking:
  • the company’s turnover,
  • margins,
  • accumulation of profits,
  • movement of funds prior to the purchase of the property.

Source of wealth of a fast-growing IT business owner

Task:
opening an account in a European bank for the holding company of an IT group owner with assets in several countries in Asia and the EU.

Problem:
the bank questioned the realism of the declared source of wealth:
over a relatively short period the entrepreneur showed a significant increase in net worth, some income came from the sale of stakes in startups and crypto assets.

Solution:

• collected digital traces as confirmation of source of wealth: participation in well-known IT projects, public transactions, mentions in the media, profiles on professional networks;
• documented the transaction history: SAFEs, convertible notes, SPA, valuation reports;
• for crypto assets – wallet exports, reports from verified crypto providers, KYC confirmations on exchanges;
• prepared a structured dossier on lifetime wealth analysis: how the client’s capital changed year by year, linked to specific events (project launches, share sales, investor exits).

Mistakes in verifying source of funds and wealth

Over the years the COREDO team has seen dozens of recurring mistakes.

For businesses and beneficiaries

• Confusion between SOF and SOW: the same documents are sent “for all occasions”, without focus on the specific transaction.
• Ignoring ownership structure: multi-level holdings, trusts and funds without clear UBO documentation.
• Mismatch between source of wealth and income/lifestyle level:
  lives like an UHNWI, but documents show average income.
• Attempt to “overwhelm” the bank with documents instead of a structured package:
  compliance officers care about logic, not the volume of paperwork.
• Underestimating cross-border specifics: different jurisdictions in the flow of funds, lack of explanation of tax / legal rationale.

client checks for fintech and banks

• Unclear internal company policy on collecting SOF/SOW data.
• Formal risk-based approach: clients are assessed by checkbox, without regard to the business model.
• Lack of automation of transaction monitoring and SOF/SOW checks where justified.
• Insufficient integration of KYC / KYB compliance processes, customer due diligence and ongoing due diligence.
• Poor recording of decisions: no one plans in advance how to document source of wealth check results for the regulator.

How to prepare for an SOF/SOW review

For the business owner / UBO

1. Your wealth map (SOW)
   – where the business originated,
   – what the key transactions were,
   – how capital changed year by year.
2. Document portfolio for primary sources
   – business (financial statements, audit, contracts, dividends);
   – sale of shares (agreements, valuation, closing documents);
   – inheritance (notarial documents);
   – investments (broker statements).
3. Readiness to explain “non-standard” cases
   – crypto assets;
   – online business;
   – rapid growth over a short period.
4. Consistency between lifestyle and SOW
   If your standard of living is clearly higher than the documented source of wealth, be prepared for additional questions.

For businesses that perform client checks themselves

1. Approve at the board level internal AML policies & procedures for SOF/SOW.
2. Set up a risk-based approach: who is subject to SDD, CDD, EDD; which triggers require enhanced due diligence.
3. Describe regulatory expectations for SOF/SOW in the jurisdictions where you operate (EU, Asia, CIS).
4. Define the data you collect at stages:
   • onboarding of high-risk clients;
   • ongoing monitoring;
   • for high-value transactions.
5. Decide what you do manually and where automation of processes for source of funds / source of wealth checks is appropriate (RegTech, screening, transaction monitoring).

Client at risk: discrepancies and indicators

• mismatch of source of funds with the client’s profile:
  for example, large payments from an industry unrelated to the declared business;
• discrepancy between source of wealth and income level:
  significant assets with minimal documented income;
• complex multi-level structures without economic rationale;
• frequent cross-border transactions without a clear business rationale;
• use of companies from high-risk jurisdictions without a logical explanation;
• sudden appearance of large amounts without a history of their formation (no lifetime wealth analysis);
• client’s unwillingness to disclose information about the UBO and their SOW.

Automation of SOF/SOW: manual work and RegTech

For financial companies, crypto platforms, payment providers and licensed entities in the EU and Asia the challenge is:
how to scale AML compliance without drowning in operational manual KYC.

The approach that the COREDO team applies in projects:

• digital onboarding and eKYC: collection of basic KYC/KYB‑data and initial information on SOF/SOW online;
• integration of screening and sanctions compliance (sanctions lists, PEP, adverse media);
• transaction monitoring tied to typical SOF‑scenarios:
  • operational revenue,
  • investment transfers,
  • loan repayments;
• risk triggers and alerts tailored to SOF/SOW:
  • a sharp increase in transaction volume;
  • changes in counterparties’ jurisdictions;
  • emergence of unusual sources of funds;
• KYC remediation: periodic updating of SOW data as part of ongoing due diligence.

At the same time, the key is the balance:

• what can be automated,
• where human judgement is essential,
• how to record in the system the decision taken and its justification to confidently pass a regulatory review.

How COREDO builds the SOF/SOW system

We often start with the basics:

1. Audit of the current AML framework for SOF/SOW.
2. Mapping risks by jurisdiction (EU, United Kingdom, Singapore, Cyprus, Estonia, Dubai, etc.).
3. Setting up governance: who is responsible for what (business, compliance, internal audit, MLRO), how the three lines of defence model works.
4. Training key employees to understand the difference between transaction flow and the actual source of funds, where the money really comes from.

• opening accounts,
• obtaining financial licenses,
• scaling into new jurisdictions,
• M&A deals and attracting investment.

And the fewer surprises owners and senior managers will face in the form of sudden compliance requests or freezes at a critical moment.

For the tenth year now I have been observing the same picture: when companies enter new jurisdictions they calculate taxes in detail but hardly consider regulatory risk and compliance risk. As a result some lose months negotiating with the regulator, others lose licenses and reputation. And a third come to us already in crisis mode: accounts are blocked, the license is under threat, the business model needs urgent restructuring.

In this article I will explain how I myself view regulatory arbitrage in international structures, how it differs from healthy regulatory optimisation, which strategies are permissible for transnational business and where the line is beyond which the risks of non-compliance with regulator requirements and enhanced supervision begin.

I rely on the practice of COREDO: registration of legal entities in Europe, Asia and the CIS, licensing of financial services, AML consulting and legal support for business in the EU, the United Kingdom, Singapore, Dubai, Cyprus, Estonia, the Czech Republic, Slovakia and other jurisdictions.

Regulatory arbitrage in simple terms

Simply put: when a group of companies chooses a country not only for taxes but also for where:

• it’s easier to obtain a license;
• capital requirements are more lenient;
• less stringent AML/KYC procedures;
• consumer protection or disclosure requirements are lower.

The line between optimisation and arbitrage

In practice I always divide clients’ approaches into three zones.

Lawful regulatory optimisation

Here the company:

• structures corporate organisation taking regulation into account but does not hide the actual business from supervision;
• chooses a jurisdiction where rules are clearer, procedures more transparent, and timelines more predictable;
• uses passporting regimes in the EU for cross-border financial services, but honestly complies with the requirements of the license’s home country;
• builds corporate compliance and AML compliance not at the minimum level but taking the group as a whole into account.

The grey zone of regulatory arbitrage

• a payment startup is licensed in a jurisdiction with light supervision but conducts its main activities effectively in a stricter country without obtaining a local license there;
• a group splits the business into affiliated MFIs (microfinance companies) to remain “below the thresholds” of prudential requirements;
• a crypto project formally places the parent company in one country and key operations and clients in another, hoping that “no one will notice”.

Aggressive high-risk regulatory arbitrage

This is when a company deliberately:

• masks the actual country of business and the centre of management;
• uses “thin” schemes with affiliated companies to circumvent capital and supervision requirements;
• moves high-risk operations to jurisdictions with minimal regulation, leaving only a front in the “white” part.

Regulatory supervision in the financial sector

The most common models I encounter:

• regulatory arbitrage in payment services: an e-money or payment institution license in a jurisdiction with laxer requirements and an actual focus on clients from stricter countries;
• regulatory arbitrage in cryptocurrencies: placing a crypto exchange or broker in countries with a more flexible virtual assets regulatory regime while serving a global audience;
• regulatory arbitrage in fintech: using the status ‘sandbox’ or experimental regimes for full commercial activity that goes beyond pilots;
• arbitrage between licenses bank vs MFI: moving high-risk retail lending to an MFI with more lenient capital and consumer protection requirements, while the brand and ecosystem are associated with a large player.

Regulators in the EU and Asia increasingly respond to this through:

• risk-oriented supervision and consolidated group-level review;
• the principle “same business – same risks – same rules” for banks, fintech and ecosystems;
• tightening rules for retail investors and users of high-risk instruments (CFDs, binary options, margin trading).

Why regulatory shopping is dangerous

In tax planning, companies are used to

and work with long-term rules of the game. In regulating finance and technology, the situation is different:

• regulatory risk often materializes abruptly: today a business model is legal, tomorrow a circular or guideline is issued, and part of the operations end up in the ‘red zone’;
• regulatory arbitrage and reputational risks are directly linked: investors and banks increasingly evaluate whether growth is being built on exploiting ‘grey zones’;
• risks of non-compliance with regulatory requirements manifest not only in fines, but also in restrictions on working with non-residents, limits on transactions, and account freezes.

Choosing a jurisdiction: taxes and the banking system

• What cross-border financial services do you plan to provide?
• Do you need a financial license – payment, investment, crypto, forex?
• Where will the clients and the key team actually be located?
• What are your compliance risks (sanctions, AML, industry-specific restrictions)?

Then a systemic jurisdictional analysis kicks in. Our experience at COREDO has shown that sustainable models are born not from the ‘easiest’ jurisdiction, but from a combination of:

• predictable regulation of business in the EU or in Asia;
• adequate regulatory burden;
• the presence of clear licensing and supervision procedures;
• availability of bank accounts and payment infrastructure.

Regulatory arbitrage: COREDO cases

I’ll change the details but keep the essence of the models.

# Case 1. A payments startup between the EU and Asia

Task: launch a payment service for e-commerce with clients in the EU and Asia, minimize time to market and regulatory risks.

What the market proposed: find a ‘soft’ jurisdiction in the EU, obtain a payment license there and serve all of Europe and part of the Asian clients through it via passporting.

What the COREDO team did:

• conducted an assessment of regulatory risks for the business taking into account scaling plans and the client segment;
• set up a separate licensed company in the EU and another in Asia, where payment services regulation was more flexible but with clear AML requirements;
• developed a compliance strategy for the transnational business: unified KYC/CDD standards across the group, regardless of the minimum requirements of individual countries;
• planned in advance for scenarios of regulatory tightening and potential restrictions on passporting in the EU.

# Case 2. A crypto project and a light license

Task: obtain a crypto license in a jurisdiction with minimal time and capital costs in order to serve clients globally.

Actual model: the majority of clients were from EU countries and the UK, marketing and key executives were also there, but the license was planned in a third jurisdiction with lighter supervision of crypto-service providers.

AML compliance: common company mistakes

At the group level, owners sometimes try to exploit differences in AML/CFT requirements between countries:

• set looser limits and checks in jurisdictions with low regulatory burden;
• build a customer-facing front office in one country and risk functions in another where regulations are looser;
• apply different KYC standards/CDD procedures depending on the client’s jurisdiction of registration rather than on their actual risk.

Sanctions risks and regulatory arbitrage

For owners of international holdings, the issue of sanctions has become one of the key drivers of structural changes. Somewho are trying to use regulatory arbitrage within the structure of international holdings to:

• transferring assets to jurisdictions with a softer or different sanctions regime;
• structuring affiliated chains of ownership and control to reduce the likelihood of directly falling under restrictions.

• many sanctions regimes are applied extraterritorially;
• banks and financial institutions often apply standards stricter than formal requirements;
• regulatory arbitrage and sanctions against beneficiaries ultimately lead to access to banking services becoming significantly more expensive or altogether impossible.

Regulatory arbitrage: how to build it into strategy

Map of jurisdictions and licenses

• which licenses already exist;
• where the actual business is conducted;
• where clients, teams, and infrastructure (including data) are located.

Regulatory risk assessment by scenarios

• risk of tightening regulation in key jurisdictions;
• risk of retroactive application of certain rules;
• risk of consolidated supervision over the group.

Classification of arbitrage decisions

• decisions in «green zone» (lawful optimization);
• decisions in «yellow zone» (depends on the regulator’s stance);
• decisions in «red zone» (high risk of claims and loss of licenses).

Compliance strategy and risk appetite

• what level of regulatory arbitrage the business is willing to tolerate;
• what processes and policies are implemented for control;
• what metrics are used (for example, share of transactions in jurisdictions with elevated regulatory risk, number of regulator inquiries, compliance cost as part of expenses).

Restructuring and exit plan from risky models

• conditions under which the group abandons certain arbitrage decisions (regulatory shock, changes in FATF, Basel, IOSCO standards);
• steps for transferring licenses, changing data routes, reallocating business functions.

When it’s more advantageous to strengthen compliance than to change jurisdiction

• strong corporate compliance;
• transparent ownership structures;
• high-quality AML and sanctions control;

What can be done now

If you already manage an international structure or plan to scale, I recommend at least:

• carry out a jurisdictional analysis and a license audit from the perspective of regulatory risk (not just taxes);
• check whether there is hidden cross-border regulatory arbitrage between the group’s legal entities;
• assess how uniform your AML compliance standards are across the group, rather than being tailored to the «most lenient» country;
• prepare for dialogue with regulators: have a legally and economically justified explanation for why functions, licenses, and operations are allocated the way they are.

The COREDO team regularly supports clients at all these stages: from registering legal entities abroad and choosing a jurisdiction for a holding structure to licensing financial services and building a resilient international compliance system.

When an entrepreneur first comes to me with the idea of entering the payments services market in Europe, the same question usually reads in their eyes: “Where do you even start?” Regulation of payment institutions in the EU is not a single law or a single regulator, but a whole architecture of directives, national acts, supervisory practices and technical standards. And it is precisely how competent the first step is that determines whether a payment institution license will be your asset or a constant source of stress and constraints.

I have been developing COREDO since 2016 as a company that combines legal, regulatory and business vision in a single project. During this time the COREDO team has participated in the launch and scaling of dozens of fintech projects in the EU, the UK and Asia — from small payment institutions with a niche product to holdings combining the status of a payment institution and an e‑money institution in multiple jurisdictions.

In this article I will explain how regulation of payment institutions works in practice in the EU, what to look for when choosing a country, what the differences are between a payment institution license and an e‑money license, and what requirements for AML, governance and IT infrastructure need to be built into the model from day one. I will speak as a practitioner who is responsible not only for legal compliance but also for the profitability of such projects.

Regulation of payments: PSD2 and e‑money

1. EU Directive 2015/2366 (PSD2) – a framework document that sets out the general requirements for payment services in the EU: list of services, Licensing of payment institutions, third‑party access to accounts (open banking, XS2A), strong customer authentication and basic consumer protection requirements.
2. Directive 2009/110/EC (electronic money): defines the status of an electronic money institution (EMI), requirements for the issuance and circulation of electronic money, safeguarding of client funds and the minimum share capital for e‑money institutions.
3. National legislation of EU countries: each country implements PSD2 and Directive 2009/110/EC into its own laws, adding national specifics: requirements for substance, for the office, for top management, the level of IT security, reporting, etc.

The COREDO team constantly works at the intersection of these levels: we start with an analysis of the client’s business model under PSD2 and Directive 2009/110/EC, and then adapt it to a specific jurisdiction: Lithuania, Estonia, Ireland, Cyprus, Luxembourg or other EU countries.

Payment institution and e-money institution: difference

One of the first questions clients ask me is: “Do we need a payment institution license in Europe or immediately an electronic money license?”
Main difference

• Payment institution (PI) – grants the right to provide payment services listed in PSD2: acquiring, money remittance, execution of payment transactions, issuing of payment instruments, PISP/AISP, etc.
• Electronic money institution (EMI): additionally grants the right to issue electronic money and to hold clients’ funds in the form of an electronic balance (wallets, prepaid cards, stored-value services).

• the minimum share capital for a payment institution is lower than for an e‑money institution, especially if we are talking about a “small payment institution” or a limited license;
• EMIs have stricter requirements for safeguarding, prudential supervision, reporting and risk management.

Which PSD2 services require a license?

To avoid mistakes with the license, it’s important to honestly ask yourself: which specific operations do you want to perform?

• execution of payment transactions (including SEPA payments and cross-border payment services in the EU);
• issuing of payment instruments (cards, virtual cards, other instruments);
• acquiring of payment transactions (merchant acquiring, including online acquiring and payment gateways);
• money remittance (classic transfers without an account);
• services enabling cash to be placed on or withdrawn from a payment account;
• PISP and AISP (open banking).

Minimum statutory capital and supervision

For any payment institution and e‑money institution in the EU, it is critical to correctly assess capital requirements and the potential increase in supervisory burden as the business scales.
Capital: what is it?

In COREDO projects we always model a 3–5 year scenario: how growth in transaction volume will affect own funds requirements and, accordingly, the financial model. This helps avoid a situation where the business scales faster than the shareholders are willing to recapitalize the company.

Prudential supervision in the banking sector

Prudential supervision of payment institutions in the EU is built on a risk‑oriented approach. Regulators look not only at capital adequacy, but also at:

• risk management (operational, liquidity, compliance risk);
• internal control system;
• procedures for safeguarding client funds;
• IT and cyber risks.

Choosing an EU jurisdiction: strategy, not price

The COREDO team usually advises entrepreneurs to look at country choice from several angles:

1. Regulator: speed of communication, transparency of processes, willingness to innovate (regulatory sandboxes for fintech, attitude to new models, including paytech and embedded finance).
2. Requirements for substance:
   • requirement for a physical office;
   • local staff (board, MLRO, risk, compliance);
   • the depth of presence the regulator requires to recognize the company as genuinely managed from that country.
3. Requirements for safeguarding clients’ funds:
   • which banks/institutions accept funds;
   • whether insurance can be used;
   • specifics of account segregation and their oversight.
4. Reporting and supervisory burden: report frequency, complexity of forms, intensity of inspections.
5. Tolerance toward non-residents and cross-border models: an important factor for projects targeting clients from the CIS, Asia, Africa.

Single European passport for licensing

One of the EU’s key advantages: a single European passport for payment institutions and e‑money institutions.

• provide cross-border payment services in the EU without a separate license in each country;
• open a branch in other EU countries;
• build a network of agents and distribution across the territory.

• local consumer legislation;
• KYC/AML specifics for residents of different countries;
• local rules for marketing financial services;
• requirements for the language of documentation and customer support.

AML requirements for EU payment institutions

Any regulator in Europe today views AML/CFT as a key criterion for payment institutions and electronic money. If your anti‑money‑laundering procedures look formal, your chances of licensing success approach zero.

COREDO was originally formed as a team where AML‑consulting and Legal expertise in financial law work together. This has allowed us to build a practice in which we design the client’s AML model in parallel with the choice of jurisdiction and license, rather than after the fact.

• ownership structure and beneficiary requirements: transparency, no sanctions‑related risks, verification of source of funds;
• the appointment and actual status of the AML officer (MLRO): experience, independence, engagement;
• risk‑based approach: segmentation of clients by risk, enhanced Due Diligence where necessary;
• policies and procedures: customer due diligence, ongoing monitoring, transaction monitoring, sanctions screening, PEP policies;
• use of regtech solutions, but with the understanding that automation does not replace the responsibility of management bodies.

Governance: three lines of defence

In the work of the COREDO team we adhere to the concept of three lines of defence:

1. First line: the business units that create the product and interact with customers. They are responsible for compliance with procedures at the operational level.
2. Second line: the compliance and risk management functions that develop policies, monitor compliance, and analyse new risks (for example, when launching a new product or entering a new country).
3. Third line – internal audit, an independent assessment of the effectiveness of the entire system.

Regulators in many EU countries explicitly expect that, within the structure of a payment institution, the following will be visible:

• an independent compliance officer;
• a risk manager with an understanding of financial and operational risks;
• a plan and scope of internal audit (even if some functions are outsourced).

IT infrastructure and cybersecurity: PSD2 and SCA

For a fintech company, the IT platform is not only a product but also a regulated entity. Requirements for the IT infrastructure and cybersecurity of payment institutions in the EU include:

• compliance with PSD2 requirements for strong customer authentication (SCA);
• data protection in accordance with GDPR;
• resilience, redundancy, incident recovery plans;
• access control, operations logging, vulnerability management.

• API architecture (especially in the context of open banking);
• change management processes;
• outsourcing of critical IT functions and relationships with external providers.

The COREDO team is accustomed to involving IT architects and cybersecurity specialists already at the licensing preparation stage. This allows responding to regulator questions in advance, rather than reworking the platform at the last minute.

Outsourcing and agents: where is the line of what’s allowed

• critical functions (risk management, AML, key IT systems) cannot be completely ‘outsourced’ without losing control;
• necessary agreements, SLAs, monitoring mechanisms, and the regulator’s rights of access to information;
• the regulator assesses the payment institution’s ability to manage a network of agents and partners.

Common mistakes applicants make and how to avoid them

Over the years I have seen several recurring mistakes that significantly prolong or even block obtaining a payment license in the European Union:

1. Unclear business model: vague descriptions of services, inconsistencies between the product side and the legal part.
   • How we solve it at COREDO: we start with a product workshop, form a clear model, and then write the application pack to fit it.
2. Underestimating substance requirements: attempting to build a “virtual office” where the regulator expects a real presence.
   • We immediately explain what minimum office and key functions will be required in that specific country.
3. A formal approach to AML: copying template policies without taking into account the geography of clients and real risks.
   • The COREDO team adapts the AML model to the specific client base (including clients from the CIS and Asia, where risks are higher).
4. Weak management team: nominal directors without real experience in payments, risk, and finance.
   • In a number of cases we helped clients build a governance structure and select strong managers who satisfy the regulator.
5. Lack of a scaling model: the applicant does not show how they will manage risks as transactions grow, enter new countries, or launch new products.
   • COREDO’s practice confirms that having a scaling roadmap significantly increases the regulator’s confidence.

Strategic approach to a project: practical recommendations

If you are: a founder, chief financial officer, or head of a fintech division and are considering registering a fintech company in Europe under a payment license, I would recommend structuring the work in stages.

1. First: business model, then: jurisdiction.
   • Do not choose a country based on “where it’s easiest” or “where acquaintances have already obtained a license”. First describe the product: what payment services, which markets, which customers, how you monetize. The COREDO team often begins cooperation precisely with a product-/business-workshop.
2. Do an honest AML and risk self-assessment.
   • If you see clients from high-risk regions in your model, complex cross-border chains, work with crypto-assets or embedded finance, do not try to “hide” this from the regulator. Together with COREDO’s clients we develop realistic control measures that can be defended before the supervisory authority.
3. Model the ROI of your own license vs operating through a partner.
   • Having your own license: it’s not just freedom and margin, but also ongoing expenses for compliance, risk, reporting, IT security, and audit. Sometimes at the start it’s more sensible to build a hybrid model: operate through a partner while simultaneously preparing for licensing. Our experience at COREDO has shown that such strategic flexibility often yields a better result.
4. Plan passporting from day one.
   • If you target clients across the EU, it’s logical to think in advance about which countries will be key, which specifics need to be considered (language, local consumer law, taxes), and to embed this into the contract architecture, IT systems and compliance processes.
5. Don’t postpone organizational design.
   • The governance structure, allocation of compliance, risk management and internal audit functions are not a formality for the regulator, but the real resilience profile of the company. The sooner you establish it, the easier it will be to obtain a license and deal with subsequent supervision.

If you plan to create or scale a payment institution or e-money institution in the EU, the COREDO team truly has a lot to offer: from choosing a jurisdiction and license architecture to the operational setup of AML, governance and IT frameworks. And the earlier you involve experts, the more decisions you’ll be able to make from a position of strength, rather than under the pressure of deadlines and regulatory requirements.

MiCA: EMT or ART for stablecoins

MiCA divides stablecoins into two basic classes:

• e‑money tokens (EMT): essentially tokenized electronic money, 1:1 pegged to a single fiat currency, most often the euro.
• asset‑referenced tokens (ART) – tokens pegged to a basket of currencies and/or other assets (for example, a multi-currency stablecoin or a token backed by a mix of fiat+bonds+gold).

When it makes more sense to use EMT

For projects that target stablecoin use cases in payments, e‑commerce, B2B settlements and corporate treasuries, EMT most often becomes the default model.

When ART provides more flexibility

MiCA and algorithmic tokens: what’s prohibited

Stablecoin reserves under MiCA: architecture and audit

• obtain Licensing and regulatory supervision;
• withstand stress scenarios (withdrawal of 30–40% of assets over a short period);
• maintain acceptable project economics.

1. MiCA stablecoins with high-quality reserves will have a competitive advantage over ‘grey-zone’ tokens that European CASPs will sooner or later limit access to.
2. Large corporate users and financial institutions will look specifically at:

   • the reserve structure,
   • liquidity management procedures,
   • independent audit.

Redemption rights under MiCA: holder rights and issuer economics

MiCA enshrines a key principle: a stablecoin holder has the right to redeem the token for fiat (or the underlying asset) at par, within a reasonable time frame and on clear terms.

CASP, MiCA and passporting in the EU

Any issuer or platform working with stablecoins in Europe encounters the concept of crypto‑asset service providers (CASP).

Key idea: by obtaining a CASP license in one EU jurisdiction, you gain passporting for services across the Union. This significantly increases the value of choosing the right country for registration and licensing.

AML/KYC and the Travel Rule: practical compliance

DAC8 and reporting on stablecoins

MiCA and liquidity management

• whether MiCA-compliant regulated stablecoins can be used for daily settlements with counterparties in the EU;
• how stablecoins affect liquidity management and treasury strategies;
• what to choose for international settlements: CBDC, stablecoins, or traditional bank payments.

MiCA and regulation in Singapore, Hong Kong, the UK and the US

• stablecoin regulation in Singapore – a balanced regime with an emphasis on payments and enterprise solutions;
• stablecoin regulation in Hong Kong and the emerging Hong Kong stablecoin licensing regime;
• the UK’s approach, where stablecoins fall within the perimeter of financial regulation but with its own specifics;
• the debate in the US around GENIUS Act stablecoins and competing bills.

• reserves and transparency;
• consumer protection;
• systemic stablecoins and oversight by central authorities.

How we structure stablecoin projects at COREDO

What an entrepreneur and a CFO should take into account

• Design the stablecoin from the start for MiCA, even if the initial launch focuses on another region. Reworking the architecture afterwards in Europe is costly.
• Treat reserves and MiCA compliance as part of the unit economics, not just a regulatory burden: access to European platforms and large corporate clients depends on it.
• Embed AML and DAC8 readiness from the outset: many business models collapse not because of the token idea, but because of inadequate compliance and reporting.
• See MiCA as an opportunity for differentiation: regulated stablecoins with transparent reserves and a clear legal framework will outperform “grey” alternatives, especially in the B2B and enterprise segments.

In international groups the question of a KYC policy today sounds very direct: a single standard or local adaptation? As someone who has been developing COREDO since 2016 and sees live cases from the EU, Asia and the CIS every day, I will confidently answer: formally, a single framework is needed; practically — without thoughtful local adaptation the business simply will not survive.

Why the old KYC approach does not work

• payment systems,
• correspondent accounts,
• licenses (crypto, EMI, PI, forex, investment),
• marketplace ecosystems and fintech partners.

• Each jurisdiction requires it “a little differently”: forms, timeframes, documents, EDD levels.
• Payment partners and banks practice over-compliance: they check every client and every transaction, block accounts, and require KYC updates “more often than is written in the law.”
• Scaling into 5–10+ countries turns into chaos: different procedures, different IT systems, different interpretations of AML risks in subsidiaries.

Group-wide KYC standard: components and requirements

• Risk appetite and client typologies
  • retail, SME, corporate, financial institutions;
  • high-risk segments: CBI clients (investment migration), crypto brokers, PSPs, P2P platforms.
  • logic: whom you are willing to serve at all, and whom: not in any country.
• KYC classification and verification levels
  • standard verification,
  • enhanced due diligence (EDD),
  • enhanced checks for PEPs, sanctioned and CBI clients.
  Uniformity is important here: if EDD for a corporate client in one subsidiary includes an analysis of the origin of capital over 3 years, and in another: only a declaration, the global risk profile is distorted.
• Basic 15-step KYC process for legal entities
  At COREDO we often build a multistep process where, regardless of the country, the following mandatory steps are present:
  • company identification (registration documents, articles of association);
  • identification of beneficial owners and the control structure;
  • verification of directors and key controlling persons;
  • analysis of discrepancies between passports and tax residency;
  • proof of address;
  • checks against sanctions, PEPs, negative media;
  • verification of source of funds and sources of income;
  • assessment of the business model and transaction geography;
  • assigning a risk rating;
  • decision: onboard / reject / EDD / additional requests.
• KYT policy and transaction monitoring
  • rules for real-time monitoring of suspicious transactions;
  • trigger logic by countries and counterparties;
  • approach to blocking/holding transactions and requesting documents.
• Requirements for digital compliance and cybersecurity
  • use of digital identification systems and eIDAS (for the EU);
  • requirements for storing KYC files and activity logs;
  • basic cybersecurity standards: client data protection, access control, logging of verifications.
• Role of an independent compliance officer
  • uniform qualification requirements;
  • independent reporting to the Board of Directors;
  • veto power over risky onboardings.

Where local adaptation of KYC is mandatory
Even a perfectly built global standard does not negate the fact that EU KYC requirements, fintech regulation in Asia and the practices of CIS regulators differ.

I see three levels where local adaptation is not just desirable, but critical.

Requirements and timelines

• In a number of EU countries regulators are moving from “simplified verification” to a strict model of full KYC checks for almost all categories of clients.
• Verification timeframes are shortening: what used to take up to 10 days is now expected to be completed within 2–5 days: especially in fintech, so the client does not go to a competitor.
• For payment companies and crypto licenses, local regulators (for example, in Lithuania, Estonia, Cyprus) set separate requirements for the structure of AML/KYC policies, the content of reporting and data formats.

• EU directives, PSD2, eIDAS for payment and fintech companies;
• requirements of local Asian supervisory authorities, aligned with FATF Guidance;
• requirements for machine-readable AML reporting and online monitoring by regulators.

Substance and real presence requirements

• a real office and staff,
• local directors,
• risk management and on-site compliance,
• the volume of operations in the jurisdiction.

• reallocation of functions (risk, AML, IT) between countries;
• justification of why KYC functions are centralized or, conversely, localized;
• the argument for substance in the exact country where you want to obtain a license or a bank account.

Practice of banks and payment partners

• unclear beneficiary structure;
• mismatch between passports and tax residency;
• lack of transparent evidence of source of funds;
• weak group-level KYC policy and absence of local procedures.

KYC vs KYT and the Travel Rule: what’s changed

• implementation of the FATF Travel Rule: transmission of sender and recipient data between VASPs (Virtual Asset Service Providers) and payment institutions;
• real-time monitoring of sender and recipient against sanctions and risk lists;
• use of blockchain analyzers to assess the risk of addresses and transactions.

• restructure internal policy from “one-time KYC at onboarding” to continuous KYT monitoring;
• implement regulatory synchronization between countries: so that transactions passing through the EU and Asia comply with unified rules on data and reporting;
• prepare for online transaction monitoring by regulators and mandatory data exchange between countries.

KYC for corporate clients: structure

• Basic KYC (all jurisdictions)
  • standard set of company and beneficiary documents;
  • minimal screening for adverse factors;
  • initial risk scoring.
• Enhanced KYC / EDD
  • detailed analysis of structure and ultimate control;
  • in-depth verification of source of funds (bank statements, contracts, financial statements);
  • check of corporate history, M&A deals, changes of beneficiaries;
  • monitoring of PEP status and political risks.
• Special scenarios (CBI, high-risk clients)
  For CBI clients and investment migration, international banks and regulators treat them as high risk.
  • prepare a rationale for the client’s economic substance;
  • demonstrate the consistency of passport, residency, and actual center of interests;
  • document the veracity of the source of funds and the reasons for structuring assets through a particular jurisdiction.

Do KYC automation and digital compliance pay off?

• Reduction of onboarding times from 10 to 2–5 days for corporate clients thanks to digital identification systems and automated checklists.
• Reduced burden on compliance departments: some procedures move to automatic screening and machine-readable reporting for regulators.
• Increased trust from banks and partners: mature digital compliance and cybersecurity are already mandatory criteria when selecting partners.

• implementation of digital identification systems and integration with eIDAS for the EU;
• use of solutions for machine-readable AML reporting and automatic report generation;
• implementation of modules for real-time transaction monitoring and sanctions screening;
• building the internal architecture of embedded AML/KYC procedures into an IT or fintech company’s product.

How to avoid bank account freezes

• there is a single group KYC/AML standard, understandable to banks and PSPs;
• local procedures meet the expectations of the regulators of the specific countries;
• the company establishes KYT and Travel Rule processes in advance according to international requirements;
• a set of evidence of source of funds and justification of the group structure is prepared.

• analyzes exactly where the KYC processes did not satisfy the partner;
• refines the KYC policy and client dossiers;
• builds communication with the bank or payment institution, explaining the business model and compliance framework.

Single standard and local adaptation

For an international group it is not enough to “just adapt to the law”. A strategic KYC framework is needed that withstands scrutiny from regulators, banks and partners simultaneously in the EU, Asia and the CIS.

• Define global risk appetite and target markets
  Answer honestly: which clients you are willing to serve and in which jurisdictions this is permissible.
• Build a single group KYC/AML standard
  • policy structure,
  • KYC/KYT processes,
  • requirements for EDD and CBI,
  • digital perimeter and cybersecurity.
• Make local adaptation by country
  • take into account EU requirements, national laws, PSD2, eIDAS, FATF guidance;
  • embed substance and local regulatory expectations;
  • synchronize reporting and data formats.
• Integrate KYC/AML into the product and operations
  especially for fintech, payment companies, crypto services; ensure real-time monitoring and automation of key procedures.
• Regularly review the policy to meet new requirements
  • FATF and the EU update standards,
  • Asian regulators are increasingly aligning with them,
  • by 2026 the list of mandatory KYC and KYT elements will only growwiden.

When the founder of a fintech project comes to me with the question: “In which country is it best to obtain an EMI license and how can this be done without fatal mistakes?”, I always start not with the country, but with the business model. It is the business model that determines where you can operate sustainably, with understandable regulatory risks and a predictable ROI.

Over years of COREDO‘s work in Europe, Asia and the CIS, the team has taken clients through the entire journey: from the first idea “I want my own EMI license in the EU” to functioning payment institutions with passporting across the EEA, audits to international standards and a well-thought-out AML function. In this article I will distill that experience into a practical guide: how to choose a jurisdiction, which requirements are actually painful in practice, where the boundaries of regulatory risk appetite lie and how to reduce the likelihood of rejection at launch.

EMI license in the EU: what you need to know

EMI license in Europe: this is permission to operate as an issuer of electronic money and to provide payment services based on the PSD2 and EMD2 directives. Essentially, an EMI license in the EU allows you to:

• issue electronic money (wallet balances, prepaid solutions, stored value);
• open and maintain payment accounts for clients;
• provide payment and electronic money services for B2B and B2C models;
• build white‑label solutions for partners and scale a fintech platform across the EEA via passporting of the EMI license.

In any European country, the regulator looks at an EMI provider through three key areas:

• business model and resilience (business plan, profitability, risk management);
• compliance for the EMI provider (AML/KYC, governance, fit & proper management);
• IT and operational infrastructure (security, incident management, safeguarding of funds).

My practical advice: don’t treat an EMI as a ‘checkbox’ or a shiny status. It’s an infrastructure solution for business for the next 5–10 years. If you don’t expect to operate at least on that horizon, the partner-provider model might be more appropriate for now.

Full EMI license or small EMI/PI: where to start?

Many projects come with a strict request: “we need only a full EMI license.” In practice, it makes sense to consider three options:

• full EMI license
  Suitable if you plan to scale across the entire EEA, process significant volumes and work with different segments (B2B/B2C, cross‑border payments, wallets, cards, API integrations for open banking).
• small EMI license (restricted Electronic Money Issuer License)
  This is a compromise: local or volume‑limited operations, simplified requirements, but without passporting across the EEA. In some countries it is used as a “training ground”: to prove to the regulator, investors and yourself that the model works.
• PI (payment institution)
  PI license in the EU allows providing payment services without the status of an electronic money issuer. For some models — money remittance, acquiring or certain B2B solutions — a PI can be sufficient.

I strongly do not recommend choosing between EMI and PI “based on a feeling.” At COREDO we always start by analysing use cases: which products you offer, to whom, in which countries, what limits, where the client balance arises, how you earn money, and what the structure of fees and float is.

How to choose a country for an EMI license

The phrase “which country is best to obtain an EMI license” is incorrect by itself. More accurate is “which jurisdiction is optimal for my business model, risk profile and scaling strategy.”

I always recommend entrepreneurs look at a country through five areas:

1. regulatory risks of an EMI and the regulator’s risk appetite
   • How does the regulator respond to new business models?
   • How often do the rules change?
   • What is the supervisory practice (frequency of inspections, tone of communication, predictability of decisions)?
2. Minimum capital for an EMI and capitalization requirements
   • Initial capital: typically €350,000 for a classic EMI model in the EU.
   • Ongoing capital adequacy: methodology for calculating capital against transaction volumes and risks.
   • You need not only a formal amount but a deliberate model: where you will hold the capital, how to present it under IFRS, how the capital structure will change as you grow.
3. Substance requirements for an EMI (office, staff)
   • Real business presence: local office, employees, resident directors.
   • Role of the local team: who actually makes decisions, who is responsible for compliance, risk management, IT.
4. IT requirements for an EMI license
   • compliance with requirements for ICT and security risk management;
   • architecture, redundancy, disaster recovery plan;
   • management of cyber and operational risks of an EMI, working with outsourcing and cloud providers.
5. Tax aspects and the group’s overall structure
   • compatibility of the country with your flows (B2B, B2C, cross‑border payments);
   • double taxation treaties;
   • the jurisdiction’s impact on investors’ valuation of the project and future funding rounds.

COREDO’s task in such projects is not simply to “register” but to help build a structure that will withstand scrutiny from the regulator, the auditor and investors simultaneously.

Jurisdictions for an EMI license: where and for whom

Below: not a “country ranking”, but typical scenarios that I see in projects coming to COREDO.

EMI license in Lithuania

Lithuania has long become a magnet for fintech projects oriented to the EEA. For many international players, an EMI license in Lithuania is a practical way to enter the European market with predictable timelines and transparent requirements.

When this country makes sense:

• EMI license passporting across the EEA is critical for you;
• you are building a product focused on the EU, but the team is distributed across different countries;
• you are ready for serious work on IT and risk management: the regulator pays close attention to ICT, operational risks and safeguarding.

In practice, the COREDO team pays especially close attention to Lithuanian projects regarding:

• the three‑year business plan and stress‑testing of the model;
• IT architecture: redundancy, incident monitoring, logging, change management;
• AML/KYC model: how the risk‑based approach is reflected in procedures and IT systems.

EMI licence in Ireland

An EMI license in Ireland is most often considered by more mature projects and groups that are building a European hub.

Key features:

• high requirements from the Central Bank of Ireland for the governance structure, fit & proper management, and independent control functions;
• a strong focus on compliance for the EMI provider: AML, risk management, internal audit;
• increased attention to business model sustainability and long‑term viability.

I often see teams underestimating the cost of compliance in Ireland: this includes not only in‑house specialists, but also external consultants, auditors, and the schedule of regular checks. The reward for this is a high level of market and investor trust.

EMI license in the Czech Republic

Czechia appeals to those looking for a balance between operating costs, the level of regulatory oversight, and the ability to work with clients from different European countries.

Features:

• a straightforward infrastructure for company registration and establishing substance;
• reasonable requirements for local presence and governance;
• the possibility to combine an EMI license with operational activity in Central Europe.

Client case: the COREDO team supported a project that considered EMI in Lithuania versus EMI in Czechia. In the end the strategy split: Lithuania — for scaling a B2C product across the EEA; Czechia — for the operational back‑office, development and part of the B2B direction. This is a scenario when one country for an EMI license is not the only answer.

EMI license in the UK: FCA requirements

An EMI license in the UK is the choice of those who consciously accept a high level of regulatory supervision by the FCA, expecting in return a strong brand and access to the British ecosystem.

What is important to consider:

• the FCA’s requirements for governance, risk management, and transparency of the beneficiary structure are especially detailed;
• a lot of attention is paid to outsourcing and service providers for EMIs, including cloud solutions;
• requirements for cybersecurity, incident reporting and IT resilience are being strengthened.

For an international project focused on Europe and Asia, it makes sense to consider the UK as part of a broader structure rather than the sole entry point.

Mauritius: EMI license for an offshore setup

An EMI license in Mauritius raises many questions among entrepreneurs: «how reliable is it to build an international fintech business based on such a license?»

I’ve seen successful cases where Mauritius:

• was used as a hub for international settlements outside the EEA;
• was combined with a European structure (for example, Lithuania / Ireland) to serve clients in the EU;
• allowed optimizing tax burden and group structure while meeting substance requirements.

Problems of the original headline:

• Unnecessary jargon (‘Typical’, ‘bottlenecks’)
• Sounds like an academic paper, not a search query
• Contains 9 words, which exceeds the recommendation

Bottlenecks in EMI licensing

To reduce the risk of refusal to grant an EMI license, I always ask clients to honestly assess three areas before approaching the regulator.

Ownership structure and beneficiaries

The regulator pays close attention to:

• transparency of beneficial ownership;
• sources of funds (source of funds / source of wealth);
• the history and reputation of shareholders and directors (fit and proper test).

Complex multi-level structures without a clear economic rationale increase EMI regulatory risks in any country. At COREDO we often start with “clean-up” of the structure: removing unnecessary layers, putting corporate documents in order, and preparing justification for the ownership chain.

Business plan and revenue model

For the regulator it’s important not only to see a three-year financial plan, but also to understand:

• how you earn (subscription, commission, interchange income, FX margin, B2B fee);
• how you manage regulatory risk (for example, high-risk segments, cross-border payments);
• what will happen to the company under stress scenarios: loss of a key partner, an increase in chargebacks, regulatory changes.

The COREDO team practices stress-testing business models for an EMI license: we model several scenarios and see how capital, liquidity and compliance costs change.

AML/KYC and a risk-based approach

AML/KYC procedures for an EMI provider are where regulators most often raise additional questions. Typical issues:

• declarative policies without a description of the real process;
• lack of linkage between the client risk map and triggers in the IT system;
• an unreasonably lenient or, conversely, excessively strict approach to high-risk segments.

I see entrepreneurs worry that strong risk-based AML will “kill conversion”. In practice, a well-designed approach allows:

• to segment customers by risk and build different KYC pathways;
• to use data providers and automation to speed up the low-risk flow;
• to keep a “manual mode” and enhanced Due Diligence for high-risk.

IT architecture, cybersecurity and outsourcing from the regulator’s perspective

In European projects I increasingly see that the outcome of an EMI license application is decided at the level of IT and security architecture.

Key areas of regulatory focus:

• IT and security risk management for EMI: incident response policy, disaster recovery, business continuity;
• API architecture and operation logging;
• segregated environments (development / testing / production) and change management;
• use of cloud services and critical outsourcing.

When preparing for licensing the COREDO team goes through with the client in detail:

• the infrastructure diagram (servers, data centers, cloud providers, VPN, key services);
• data flows (including customer data, payment data, logs);
• backup model and RTO/RPO metrics.

Timeline and cost of an EMI license

To the question “how long does obtaining an EMI license in the EU take” I always answer with one word: it depends. But there is a realistic range.

With preparation taken into account:

• analysis of the business model and choice of jurisdiction;
• company structuring, substance, appointment of directors and key functions;
• preparation of the business plan, policies, procedures, IT descriptions;
• preliminary consultations with the regulator (where appropriate);

A full turnkey project in Europe typically takes 9–18 months, sometimes longer: if the model is complex or the group structure is non-trivial.

The cost of obtaining an EMI license consists of:

• minimum share capital (for example, the EMI minimum share capital of 350,000 euros for some EU countries);
• professional services (legal support for an EMI license, financial modeling, IT and AML design);
• expenses for substance: office, local team, directors, control functions;
• subsequent audit and an ongoing compliance function.

How to reduce the risk of refusal by the regulator

The regulator doesn’t want to stop you from operating. Its job is to ensure you operate safely. It’s important to remember that.

1. Early dialogue and transparency
   • It’s easier to explain a complex element of the model at an early stage than to defend it after the official submission.
2. Consistency of documents
   • The business plan, policies, IT descriptions, governance structure, and partner agreements should be logically consistent. The regulator quickly spots inconsistencies.
3. Realism
   • Overly aggressive growth plans that are not backed by capital, team, and technology raise doubts. At COREDO we often temper expectations and rebuild the financial model.
4. Readiness for oversight
   • Regulatory oversight (on-site and off-site inspections, regular reports, audits) is not a “punishment”, but a normal part of life for a licensed company. It’s important to set up processes in advance, rather than reacting after the fact.

When it’s better to work with a partner instead of obtaining an EMI license

There are scenarios in which I honestly recommend not rushing to obtain a license:

• the product hasn’t yet achieved market fit;
• unit economics are unstable;
• the team is not ready to support full compliance, risk, and IT operations at the level expected of a licensee.

COREDO’s role here is not to sell a licensing service, but to help see the entire path: from an MVP to a fully licensed institution, with minimal regulatory and operational risks.

How to open an EMI structure with COREDO

In practice, the COREDO team:

• analyzes the business model and helps choose a country where EMI regulatory risks in different jurisdictions align with your risk appetite;
• structures the legal entity (or group), builds a clear ownership structure and substance;
• prepares the complete documentation package for licensing: from the business plan and risk policy to AML/KYC procedures and IT descriptions;
• supports dialogue with the regulator, helps respond promptly to requests and adjust the model;
• sets up ongoing support: AML consulting, legal support, interaction with auditors, updating policies for regulatory changes.

My personal view is simple: having your own EMI license for an international fintech project is an investment in control over the product, margins and the pace of development. But only if you are prepared for serious, systematic work on regulatory, IT and operational risks.

When an entrepreneur or a CFO says to me: “We want to buy a licensed PSP company in Europe”,: I always ask the same counter-question: “Are you sure you are ready for an honest Due Diligence?”

The purchase of a payment institution (Payment Institution) or an electronic money institution (EMI), is not just an M&A deal, but the purchase of regulatory history, compliance culture and risk profile, which will either strengthen your holding or become a source of ongoing conflicts with regulators and banks.

Over the years of COREDO‘s development in the EU, Asia and the CIS our team has completed dozens of projects with clients: from due diligence when buying a PSP company in Europe and Singapore to supporting transactions for acquiring EMI/PI licenses together with companies and integrating these assets into large financial groups. This experience has shown: 80% of a deal’s success is determined by the quality of preliminary due diligence: legal, financial, tax, operational and, of course, AML/KYC.

Why it’s more advantageous to buy a licensed PSP

When we discuss a payments market entry strategy with clients, there are usually two options on the table:

• obtaining a new license (EMI/PI) in the EU, the UK, Singapore or Dubai;
• buying a licensed PSP company with an existing license and infrastructure.

Buying an existing PSP allows:

• to reduce time-to-market: often 12–18 months faster compared to obtaining a new license;
• to obtain established relationships with correspondent banks and payment partners;
• to inherit merchants, the technology platform and the team;
• to use the existing license for passporting within the EU (subject to compliance with PSD2 requirements and national rules).

But along with the license the investor takes on:

• regulatory legacy risks (past violations, outstanding regulatory orders);
• the historical transaction profile and client portfolio;
• the PSP’s reputational history in the market.

Structure of due diligence for a PSP company

When I’m asked to perform due diligence when buying a PSP company, I immediately divide the work into at least six blocks:

1. Legal due diligence
2. Regulatory and licensing due diligence (including checking the PSP license)
3. AML/KYC due diligence and compliance check
4. Financial and tax due diligence
5. Operational due diligence and IT/cyber security
6. Strategic and business due diligence (unit economics, model sustainability, ROI)

Each block provides its own layer of red flags, and at COREDO we are used to presenting the result as a risk heatmap: a visual map of the key deal risks and their impact on price, the SPA structure and the post-closing roadmap.

Legal due diligence: structure and change of control

Legal support for the purchase of a PSP in the EU and Asia begins with basic but critical matters.

What I check first

• Ownership structure and beneficiaries (UBO)
  • transparency of the ownership chain;
  • presence of trusts, nominee structures, offshore elements;
  • whether beneficiaries match those registered with the regulator.

  Red flags when buying a PSP: discrepancies between corporate documents and regulator data, hidden controllers, complex structures without a business purpose.

• Legal origin of the license
  • whether the constitutional documents and the license contain restrictions on change of control;
  • whether mandatory approval of a change of control by the regulator is required;
  • whether there are legal restrictions on changes to directors and key personnel.
• Presence of material contracts and obligations
  • agreements with correspondent banks, payment schemes, anti-fraud and KYC providers;
  • agency, outsourcing and white-label agreements;
  • agreements with key merchants, partner and referral contracts.

Which documents to request during PSP due diligence

The list is always adapted to the jurisdiction, but the core remains:

• corporate documents (articles of association, shareholders’ resolutions, register of participants);
• PSP license/EMI, all appendices, letters and regulator decisions;
• register of shareholders and beneficiaries, UBO confirmation;
• key commercial contracts (banks, schemes, merchants, KYC/AML providers, IT outsourcing);
• internal policies & procedures (regarding governance, decision‑making, outsourcing);
• history of legal disputes and counterparty claims.

Regulatory due diligence: license and PSD2

How to check a PSP license in the EU

I always insist on at least:

• verification of the license via the regulator’s official register;
• analysis of the license scope: which types of payment services are permitted, and whether there are geographic or client-type restrictions;
• checking the business model’s compliance with PSD2 requirements (and prospectively PSD3) and AMLD.

History of regulator inspections and orders

The COREDO team always requests:

• copies of regulatory letters, orders, enforcement actions for the last 3–5 years;
• external auditors’ reports on regulatory matters;
• remediation plans and action plans submitted by the PSP to the regulator.

The key question is how the company responded to findings: whether it addressed them promptly, strengthened the compliance function, and improved governance.

AML/KYC due diligence when working with PSP

What I check in KYC/AML compliance

• Risk-based approach policy
  • whether there is a formalized risk appetite statement;
  • how clients are segmented by risk (high‑risk industries, high‑risk jurisdictions);
  • how decisions on onboarding and offboarding are made.
• KYC/AML procedures
  • customer due diligence (CDD) and enhanced due diligence (EDD);
  • source of funds/source of wealth checks;
  • procedures for ongoing monitoring of customers and transactions;
  • sanctions screening, PEP screening, adverse media.
• Transaction monitoring & anti‑fraud
  • presence of an automated transaction monitoring system;
  • scenarios and rules (rules‑based, risk‑based or hybrid models);
  • model for managing alerts and internal investigations;
  • chargeback ratio and dispute ratio metrics for key merchants.

Which documents for AML are needed for due diligence

In COREDO projects for AML due diligence of a PSP provider, I usually request:

• AML policy, KYC policy, risk assessment and risk appetite statement;
• descriptions of onboarding, monitoring, investigation and reporting (SAR/STR) processes;
• internal and external AML audit reports;
• statistics on STR/SAR, offboardings and onboarding refusals for the last 2–3 years;
• training records for employees;
• a sample of customer files (KYC dossiers), including high‑risk customers and PEPs;
• a sample of transactions in high‑risk segments for forensic analysis.

Due diligence of high-risk jurisdictions

For international investors, we at COREDO regularly conduct sanctions due diligence of a payment company:

• we analyze countries, currencies and payment corridors;
• we check whether there are clients or transactions linked to sanction regimes;
• we assess the sanctions screening and negative news monitoring processes.

Financial and tax due diligence: regulatory context

The payments business is specific: a purely financial due diligence does not give the full picture without understanding regulatory constraints.

In COREDO’s PSP financial due diligence projects we look at:

• revenue structure: processing fees, interchange, FX margin, ancillary services;
• concentration of revenue among a few key merchants;
• stability of margins and unit economics by segment;
• expenses for compliance, IT, licenses and regulatory capital.

We supplement tax due diligence in fintech acquisitions with:

• analysis of intercompany agreements within the group;
• verification of substance in the jurisdictions where the company operates;
• assessment of the tax model’s alignment with the overall business logic.

Operational due diligence — IT/cybersecurity

For a PSP technology is not back‑office, but the core of the licensed activity. Operational due diligence of a PSP provider at COREDO always includes:

• assessment of governance: role and independence of the board of directors, existence of a compliance committee, three lines of defence;
• analysis of the key team: experience of the CEO, COO, CCO, MLRO, IT director;
• assessment of the incident management and business continuity processes.

IT infrastructure and cybersecurity review

Minimum set of questions:

• platform architecture (own vs white‑label, critical dependencies on vendors);
• SLAs with key providers, uptime, disaster recovery plans;
• results of penetration testing and vulnerability assessments;
• access management, logging, segregation of duties.

GDPR and personal data

In the EU and the UK I always pay special attention to:

• presence and implementation of GDPR policies (data protection, data retention, data minimisation);
• appointment of a DPO and their role;
• data breach incidents and the company’s response.

Red flags during PSP due diligence

Over the past few years the COREDO team has developed a fairly consistent list of “red flags” that lead me to either strongly recommend revising the price and deal structure or to walk away altogether:

• Mismatch between licensed and actual activities (for example, hidden e‑money activity without the appropriate license).
• Systemic AML violations/KYC: lack of adequate documentation for high‑risk clients, weak EDD procedures, a formal approach to ongoing monitoring.
• Open regulatory investigations or outstanding orders.
• Heavy concentration on sanctions‑sensitive markets or high‑risk jurisdictions without a considered risk‑based approach.
• Critical dependence on a single correspondent bank or a single large merchant.
• History of serious data breaches, weak cybersecurity, lack of proper disaster recovery.
• Opaque ownership structure, hidden beneficiaries, discrepancies between regulator records and corporate documents.
• Absence of a real governance structure and an independent compliance officer.

Due diligence in the deal structure

When due diligence in an acquisition is completed, the most important thing for me is to translate the findings into specific legal and financial SPA mechanisms.

In practice COREDO often offers:

• earn‑out: part of the price is tied to future performance (including compliance indicators, retention of licenses, absence of new sanctions/penalties);
• escrow and holdbacks: part of the amount is blocked for a period sufficient to surface potential legacy risks;
• specialized representations & warranties regarding:
  • absence of undisclosed regulatory investigations;
  • completeness of disclosure of AML/CTF incidents;
  • license status and absence of grounds for its revocation;
• indemnities for:
  • fines and sanctions for breaches whose roots lie pre-closing;
  • regulatory claims related to the historical client portfolio and transactions.

Comparison of jurisdictions for investors

A separate part of the work is choosing a jurisdiction for acquiring a licensed PSP company: the EU, United Kingdom, Singapore, certain Asian or Middle Eastern centres.

What we usually focus on with clients:

• the strictness and predictability of the regulator;
• requirements regarding capital adequacy and safeguarding;
• banks’ attitude towards PSPs from that jurisdiction;
• scalability opportunities (passporting in the EU, cross-border Licensing in Asia);
• historical cases of enforcement practice.

How I structure PSP due diligence with a client

To make due diligence of a payment institution in Europe or Asia genuinely useful rather than formal, at COREDO we follow a simple but effective methodology:

1. We build a map of the investor’s objectives
   • why the PSP is being acquired (geography, products, license, technology, customer base);
   • planning horizon (rapid integration or a careful roll‑out).
2. We develop the scope of due diligence and a deal risk map
   • we determine the depth of review by blocks: legal, regulatory, AML/KYC, financial, tax, IT, operational;
   • we identify critical KPIs and red flags.
3. We perform a phased analysis
   • first a high‑level screening (to weed out clearly problematic targets at an early stage);
   • then a detailed deep dive into key areas.
4. We turn the findings into a deal plan
   • we adjust the deal structure and the SPA;
   • we prepare a remediation roadmap after closing;
   • we model scenarios of regulatory inspections and stress scenarios (for example, withdrawal of correspondent accounts by the main bank).
5. We support the change of control and interaction with the regulator
   • we prepare the document package for approval of the change of control;
   • we help establish a dialogue with the regulator to explain the new owner’s strategy;
   • we take into account the timing and conditions of approvals in the deal timeline.

What’s important before a deal starts

• Due diligence of a fintech company and a PSP is never “too deep” when it comes to AML/KYC and regulation;
• weak compliance at the target almost always costs more than the highest possible price discount;
• a properly conducted due diligence when acquiring a company is not an expense, but a tool for negotiations and managing ROI.

If you are considering the purchase of a licensed payment institution, an EMI, or another fintech asset in the EU, Asia, or the CIS, start not with discussing the price but with a due diligence plan. Price is a derivative of risks, not the other way around.

Crypto custody in the EU is no longer a “grey area”. For me as the founder of COREDO this is one of the most telling areas: over the past few years the team has accompanied the evolution from experimental crypto platforms to mature financial infrastructures that are subject to the same strict regulatory requirements as banks and payment institutions.

In this article I will lay out what cryptocurrency regulation in the EU actually means, how MiCA, DAC8 and CARF are changing the rules of the game, and what needs to be built into the crypto custody business so it doesn’t just “survive 2026”, but use it as a point of growth.

Crypto custody in the EU: what is considered custody

When an entrepreneur tells me: “We’re not a bank, we just hold clients’ assets in wallets,” to the regulator that sounds like a classic crypto custody service.

The custody of crypto assets in the EU typically covers services that:

• have access to clients’ private keys or can initiate transactions on their behalf;
• provide a wallet structure (hot, cold, custodial) with responsibility for the safekeeping of assets;
• offer trust management, margin services, staking, if in doing so they control access to the funds.

The key mistake I often see is the attempt to “hide” the activity behind the wording “we’re just an IT platform.” For the regulator, what matters is not what you call the service in a pitch to investors, but:

• whether the user has full and exclusive control over the private keys;
• who legally owns the assets;
• who is responsible to the client in the event of loss or freezing of funds.

If you control the keys or manage assets on behalf of clients, you fall under the scope of a crypto-asset service provider (CASP) and you need the appropriate status and Licensing of crypto platforms in the EU.

MiCA: regulation of cryptocurrencies in the EU

The MiCA regulation ends the era of fragmented cryptocurrency regulation in Europe. For businesses, it is both a challenge and an opportunity.

Who CASPs Are and Why It Matters

MiCA introduces a single category – Crypto-Asset Service Provider (CASP). For crypto custody platforms this means:

• you cannot work with EU clients in a custodial capacity without a CASP license;
• after obtaining the license you get a single authorization for the EU market: you can serve clients via the «passporting» model without re-licensing in each Member State;
• all key requirements for capital, governance and compliance are now set at the regulation level, rather than being «spread out» across national rules.

MiCA requirements for crypto-custody

For crypto-asset storage services, MiCA sets out a set of basic building blocks:

Capital and financial resilience

corporate governance of CASPs
The owner of a crypto custody business can no longer remain simply a «tech entrepreneur». The regulator expects:

• a transparent ownership structure;
• a board of directors/management with relevant experience in finance and compliance;
• a documented risk management system;
• an independent compliance function and, for large entities, internal audit.

Organization of storage and IT security
MiCA strongly encourages:

• segregation of client assets and company funds;
• a policy for allocating storage between hot and cold wallets;
• procedures for managing private keys (generation, storage, rotation, backups, access on a «least necessary» basis).

MiCA transition period and deadlines

For existing crypto companies, the European Union has provided a MiCA transition period that ends by mid-2026. This is the window in which you need to:

• determine whether you fall into the CASP category;
• choose the country for primary licensing;
• restructure business processes to meet MiCA requirements;
• submit a full set of documents and obtain authorization.

DAC8 and CARF: taxation of crypto-assets

If MiCA covers “licensing and investor protection”, then DAC8 and CARF cover tax transparency.

What DAC8 means for crypto platforms

The DAC8 directive extends the European framework for administrative cooperation in tax matters to crypto-assets. For crypto custody and crypto platforms this means:

• an obligation to transmit client data and their transactions to tax authorities;
• integration into the regime of automatic exchange of crypto-asset data between countries;
• establishing processes to identify unpaid tax liabilities and prevent tax avoidance.

CARF: the reporting standard for crypto-assets

CARF reporting standards: an OECD initiative that essentially does for crypto-assets what the CRS did for standard financial accounts:

• a single message format for automatic exchange of information;
• a unified data set: client identification, crypto-asset balances, transaction history, transfers between accounts;
• the ability for tax authorities of different countries to view crypto-assets in the context of a client’s overall financial flows.

KYC/AML and a risk-based approach in crypto

Regulation no longer works without effective AML/CFT and KYC in crypto businesses. MiCA, DAC8, AMLR and national laws expect platforms to have mature, documented and verifiable compliance.

KYC/AML for crypto custody: basic framework

When we at COREDO build AML/CFT processes in crypto, for crypto custody platforms we typically form the following blocks:

KYC policy

• identification of natural persons and legal entities;
• document verification, screening against sanction and PEP lists;
• data updates on a schedule or by triggers (change in activity, suspicious transactions).

Risk‑based AML/CFT approach in crypto

• client segmentation by risk in crypto services (retail, professional, institutional, high‑risk jurisdictions, complex ownership structures);
• assigning a baseline risk rating during onboarding;
• reviewing risk ratings when new data emerges, client behavior changes or adverse information is detected.

transaction monitoring of cryptocurrencies

• scenarios for automatic detection of atypical or potentially suspicious transactions;
• transaction thresholds under DAC8 and internal limits for enhanced review;
• integration with blockchain analytics systems.

Blockchain analytics for compliance

Today, quality compliance for cryptocurrency platforms is impossible without blockchain analytics. From practice:

• in one licensing project for a crypto exchange we implemented integration with several blockchain analytics providers to:
  • check the ‘cleanliness’ of incoming and outgoing cryptocurrency;
  • track links to darknet markets, mixers, sanctioned addresses;
  • analyze transaction chains according to typical risk scenarios.

How to securely store crypto assets

MiCA and DAC8 define the “what” and the “why”. The question of “how” is engineering and operational design.

Hot, cold and non-custodial wallets

For crypto custody in the EU the key decisions are:

Hot wallets (hot wallets)

• provide high transaction speed;
• carry increased risks of hacking attacks and device compromise;
• require strict limits, multi-signatures, segregation by types of operations.

Cold wallets (cold wallets) and hardware devices

• used for the bulk of assets;
• integrated into multi-stage access procedures (multisig, physical safes, offline storage);
• entail a considered policy for storing seed phrases and backups of private keys (including the use of safes and bank deposit boxes).

Non-custodial wallets and regulation

Monitoring and reporting integration

To meet the requirements of MiCA, DAC8 and CARF, companies build:

• transaction monitoring systems capable of:
  • online analytics;
  • generating reports on request from regulators and tax authorities;
  • documenting all decisions (why an operation was approved, rejected, sent to enhanced Due Diligence).

Licensing crypto platforms in the EU 2026

Given MiCA, DAC8 and CARF the question ‘where to get licensed’ turns from a tax issue into a strategic decision about the company’s positioning in Europe.

Choosing a jurisdiction for a CASP license

When choosing a country for the primary CASP‑license I always advise founders to look at several parameters:

• speed and transparency of interaction with the regulator;
• practice of licensing crypto companies;
• capital requirements;
• approach to AML/CTF and tech solutions;
• ecosystem: banks, payment providers, consultants, auditors.

How to prepare for CASP licensing?

To avoid entering the process chaotically, I usually structure the preparation into four blocks:

Business and product model

• which crypto services in the EU you actually provide (custody, exchange, staking, tokenization, etc.);
• for which client categories (retail, HNWI, corporate, institutional);
• geography: only the EU or global coverage with an EU‑focus.

Corporate structure and governance

• a legal entity in the EU with a clear beneficial ownership structure;
• a board of directors and top management with verifiable experience;
• internal policies: risk management, compliance, IT security, business continuity.

Compliance framework

• KYC/AML policies taking into account a risk‑based approach;
• transaction monitoring procedures and blockchain analytics;
• internal investigation processes and reporting of suspicious transactions.

IT and operational infrastructure

• wallet architecture (hot/cold/non-custodial);
• logging and activity audit system;
• integration with analytics and reporting providers for CARF/DAC8.

Strategic issues for executives 2026

In conversations with owners and chief financial officers of crypto platforms, several strategic topics usually come into focus.

MiCA: competitive advantage

MiCA simultaneously:

• raises the barrier to entry for crypto businesses;
• creates a predictable framework for those willing to invest in regulation and compliance.

Return on investment in compliance

• costs for AML/KYC tools and reporting under DAC8/CARF are better viewed as investments in:
  • access to large clients (banks, funds, institutional investors that require strict compliance);
  • reduced likelihood of sanctions and inspections;
  • increased company valuation when raising capital or exiting the business.
• One of COREDO’s clients managed to increase the company’s valuation in a funding round precisely because it already had a prepared MiCA‑ready compliance framework and a clear plan for CASP licensing. For the investor this meant a manageable regulatory risk.

Scaling the business in the EU and abroad

MiCA with CASP passporting makes the EU one of the most structured markets. For many Asian and Middle Eastern players that COREDO works with, the strategy looks like this:

• create a regulated storefront in the EU under MiCA, DAC8, CARF;
• use it as an “anchor of trust” for global clients;
• build additional jurisdictions around it with a different focus (for example, experiments with DeFi, new tokenization models) in more flexible regimes, but relying on the European standard of compliance.

How COREDO helps develop crypto custody businesses

My personal interest in the crypto market has always been pragmatic: those who can operate under changing regulation survive in the long term. Over years of work with the EU, the United Kingdom, Cyprus, Estonia, Singapore and Dubai, the COREDO team has developed several strategies for supporting crypto projects:

From idea to CASP license

Reengineering existing crypto custody for MiCA/DAC8

As a result, the client receives not a “list of problems”, but a change plan with prioritization and an assessment of the impact on the business model.

Comprehensive support after obtaining licenses
Registration and licensing are the start, not the finish. In practice COREDO remains by your side afterwards:

• helps prepare for regulator inspections;
• adapts processes to new recommendations from the EBA, the European Commission and national regulators;
• participates in updating AML/KYC policies and procedures when launching new products and entering new markets.

In international business, a growth strategy today inevitably runs up against compliance: company registration in the EU and Asia, financial licenses, KYC/AML, sanctions compliance, cross-border operations: all of this becomes a single task of managing compliance risks at the group level, not of individual legal entities.

Over ten years of COREDO’s work with holdings from Europe, Asia and the CIS, I have become convinced: until a group has a clear map of compliance risks and an established compliance risk mapping, any new jurisdiction, license or bank adds not business opportunities, but points of vulnerability.

How to approach compliance risk mapping for international holdings practically: what to consider a risk, how to build the map, how to align it with the board of directors’ risk appetite and licensing, and which solutions have worked in practice in COREDO projects.

Compliance-risk map of the holding company

If you have:

• companies in several countries of the EU, Asia and the CIS;
• licenses (or plans) for payments, forex, crypto, EMI, investment services;
• ownership structure is multi-level, with trusts, SPV, separate holdco;

then your key resource: not only the corporate structure, but the transparency and manageability of compliance risks.

• bank de‑risking and denial of service: banks see an «unclear» structure, weak KYC/AML, unpreparedness for a sanctions audit;
• blocking & freezing of assets due to sanctions violations or errors in handling PEP/high‑risk jurisdictions;
• reputational damage and an increase in the cost of capital, investors and partners begin to factor a high cost of non‑compliance into valuations;
• prolonged regulator investigations in the EU and Asia, licensing restrictions, additional capital and reporting.

When the COREDO team enters a holding at the scaling stage, most problems come down to one thing: the compliance system cannot keep up with geography and product. There is no centralized risk register, no risk owners, compliance is perceived as a set of documents rather than as an enterprise risk management tool for international groups.

Compliance risk in an international context

Compliance objectives in a global holding are not only “avoiding fines”. They include:

• maintaining access to banking infrastructure and payment providers;
• protection against sanctions and AML incidents;
• compliance with licenses (payment, EMI, crypto, MiFID-like, local regimes in Asia);
• an acceptable level of reputational risk for investors and partners.

• a unified risk taxonomy for compliance;
• a formalized process for identifying, assessing, treating and monitoring compliance risks;
• a documented risk assessment report and a risk register.

When at COREDO we conduct a compliance risk assessment in a transnational group, we divide risks into:

• regulatory (regulatory compliance in the EU and Asia, licenses, reporting);
• sanctions and AML risks for holdings;
• operational (KYC/AML processes, onboarding, monitoring, IT GRC);
• legal (contracts, beneficial ownership transparency, CRS/FATCA, ESG compliance);
• reputational (incidents, investigations, media environment, customer complaints).

Compliance-risk map: methodology

The methodology for building a compliance-risk map relies on a detailed understanding of how the business is structured and where exactly vulnerabilities arise in its processes. Based on the business map, we step by step move to forming a structured compliance-risk map that shows which violations can occur, at which points, and with what probability.

Business map and risk map

Next, the steps:

1. Business-process approach to compliance mapping
   We explicitly describe key processes:
   sales, client onboarding (KYC/KYB), payments, account operations, work with suppliers and agents, HR, IT, reporting.
   On this basis, a compliance risk map by business processes is formed.
2. Identification of risk areas
   For each process we identify:
   • points of generation of sanctions risks and AML risks;
   • zones of cross-border compliance risks (payments, transfers between jurisdictions, use of different currencies, correspondent accounts);
   • contact with regulators, banks, payment systems, auditors.
3. Collection of data and incidents
   The COREDO team usually forms a centralized risk register of compliance incidents:
   regulator requests, payment blocks, bank inquiries, detected violations, red flags.
   This provides real statistics for assessing likelihood.

Likelihood and impact according to ISO 31000
Classic question: how to measure compliance risk, by probability or by severity of consequences?

In COREDO’s practice with holdings we use a two-dimensional assessment:

• likelihood, frequency of occurrence: from «rare» to «frequent»;
• impact, effect on: licenses, banking access, financial results, reputation, personal liability.

It is important to distinguish:

• likelihood as an expert assessment based on incidents and specifics;
• probability as a more strict, quantitative measure (where data exist).

Risk appetite and risk ownership
Without alignment with the board of directors’ risk appetite the risk map remains an academic document.

What I do at the governance level:

• the board of directors formulates the compliance risk appetite:
  which sanctions, AML, regulatory, operational risks are acceptable and which are not;
• risk tolerances are established – acceptable ranges for key KRIs (for example, the number of payments rejected for sanctions reasons, frequency of regulator inquiries);
• risk owners / owners of compliance risks are appointed – generally business unit leaders, not only compliance officers.

Centralized, Decentralized and Hybrid Compliance Models

In international holdings, I see three patterns of compliance governance in multinational holding structures.

Competence Center
A compliance competence center at the head office:

• a single methodology for constructing the compliance risk map;
• centralized risk register and risk assessment report;
• common policies: sanctions compliance, AML, KYC/KYB, TPRM, ESG, data protection;
• a single IT GRC core and compliance infrastructure (RegTech, case-management, monitoring).

Decentralized system model
Local compliance officers in subsidiaries:

• strong adaptation to regulatory compliance in the EU and Asia (local regulators, reporting, languages);
• their own practices for interacting with banks, payment institutions, and financial intelligence units.

Hybrid Model
In most COREDO projects, I promote a hybrid model of compliance risk management in the group:

• head office: methodology center, governance, risk & compliance (GRC approach), a common risk map for the holding;
• subsidiaries: adaptation and detailing of the compliance risk map for the holding with assets in Europe and Asia to their own processes;
• unified standards (ISO approach, policies, KYC/AML framework), but local procedures where required by the regulator.

Sanctions and AML risks in multi‑level structures

Sanctions and AML risks in multi‑level structures are amplified by complex ownership chains, cross‑holdings and beneficiaries from different jurisdictions. To avoid inadvertent exposure to restrictions and regulatory enforcement, businesses need a systematic sanctions audit and a detailed sanctions risk map that covers every level of the structure.

Sanctions audit and risk map
For private equity groups and complex ownership structures, the COREDO team often starts with a sanctions audit and sanctions Due Diligence:

• analysis of beneficial ownership transparency: who the ultimate beneficiaries are and at which levels;
• assessment of multi‑level ownership structures, trusts, funds, SPVs, offshore entities;
• mapping cross‑border chains: payments, dividends, intercompany financing.

On this basis we develop:

• sanctions risks and the holding’s risk map:
  • risk of being listed on sanctions lists;
  • compliance risks when dealing with PEPs and high‑risk jurisdictions;
  • risk of indirect ownership/relationships with SDN‑listed parties;
• “red flags” for internal systems:
  • anomalous payment chains;
  • new counterparties from high‑risk countries;
  • atypical changes in ownership structure.

Integration of AML systems into the risk map
A classic mistake: building the AML system separately from the overall compliance risk map.

A solution that COREDO has successfully implemented in holdings with payment and crypto licenses:

• integration of AML systems into the holding’s overall compliance risk map;
• use of a risk‑based approach when building the compliance risk map:
  • client segmentation by risk;
  • risk‑based KYC and differentiated procedures;
• setting up an AML transaction monitoring system as a source of KRIs:
  • proportion of transactions subject to manual review;
  • number of identified red flags;
  • number of reports to the financial intelligence unit.

Digital infrastructure: IT GRC and RegTech

In holdings with a large number of jurisdictions, licenses and banking relationships, manual compliance risk mapping becomes unmanageable.

Therefore I consider digital platforms for managing compliance risks (RegTech, GRC systems) as the core of the compliance infrastructure:

• IT GRC and compliance for international holdings provide:
  • a centralized risk register and incident register;
  • case management for compliance incidents;
  • process documentation and audit trail;
  • dashboards and dashboards / scorecards for management.

• Integration of AML/KYC with GRC:
  • data lineage and data quality in AML/KYC systems;
  • the ability to link client and counterparty cases and incidents to specific risks on the risk map;
  • monitoring key risk indicators (KRI) in near‑real time.

The COREDO team acted as architect on several projects:
we described the compliance infrastructure, developed requirements for RegTech solutions, and then integrated them with banking, payment and CRM systems.

Compliance risk map and corporate governance

The compliance risk map becomes a practical tool that links corporate governance with the actual areas of responsibility and control within the company, showing where and how violations may occur. Through this link, the ‘three lines of defence’ model helps build a transparent allocation of roles, from the operational level to the board of directors, and provides a unified system for managing compliance risks.

The three lines of defence in a bank
An effective compliance system as a risk management tool does not operate in isolation:

1. First line: business units and operational staff.
   They are the key risk owners; it is here that primary risks arise and are managed.
2. Second line: legal, risk and compliance functions.
   Their task – methodology, monitoring, updating the compliance risk map and control.
3. Third line: internal audit.
   It validates the compliance risk map, checks the realism of assessments, the presence of controls and the effectiveness of processes.

In one of COREDO’s projects for a holding with licenses in the EU and Asia, we began by ‘reworked’ the risk map together with internal audit:
some risks that were considered low turned out in practice to be critical because of cross‑border characteristics and the requirements of specific regulators.

Tone at the top and compliance culture
Without tone at the top and a compliance culture, any risk map turns into bureaucracy.

• approve risk appetite and risk tolerance;
• include compliance KPIs at the top‑management level;
• support regular reviews of compliance risk mapping and reports on KRIs;
• allocate resources for compliance training and awareness‑programs.

COREDO’s practice shows: when compliance KPIs become part of the management bonus system, residual risk begins to materially decrease.

Compliance risk mapping in an international holding company

That very «step-by-step plan» the COREDO team uses in a typical project for a group with assets in Europe and Asia.

1. Diagnostics
   • analysis of jurisdictions, licenses, banking and payment relationships;
   • assessment of the maturity of the current compliance‑function and IT‑landscape;
   • collection of incidents, requests from regulators and banks, sanctions and AML‑cases.
2. Risk taxonomy and processes
   • development of the compliance‑risk structure for international holdings;
   • process descriptions (onboarding, payments, TPRM, HR, IT, reporting);
   • identification of cross‑border chains and areas of sanctions/AML risk.
3. Assessment and map construction
   • compliance risk assessment according to the ISO‑approach: likelihood and impact;
   • creation of the risk register and the risk assessment report;
   • visual risk map / heat map for the board of directors.
4. Linkage to risk appetite and governance
   • alignment of risk levels with the board of directors;
   • appointment of risk owners and roles;
   • choice of model: centralized, decentralized, hybrid.
5. Integration with internal control and audit
   • building the link «risk map: control procedures – checks»;
   • involvement of internal audit in validation of assessments and scenario analysis;
   • stress‑testing of the compliance‑system and scenario risk analysis.
6. Digitalization and RegTech
   • definition of requirements for the GRC‑platform and AML/KYC‑solutions;
   • integration with CRM, payment, banking and accounting systems;
   • launch of dashboards and automated compliance monitoring.
7. Continuous monitoring and review of the risk map
   • regular updating of the compliance‑risk map (at least annually, and more often in case of significant regulatory changes);
   • analysis of new jurisdictions, products, partners;
   • adjustment of KRIs and processes.

Compliance risk map: ROI and impact

From COREDO’s experience I see several consistent effects:

• Reduction in cost of non‑compliance
  Fewer fines, fewer blocks, fewer bank refusals.
  For fintech and holding groups this directly affects the cost of capital raised and business valuation.
• Faster expansion into new jurisdictions and licenses
  When you have established compliance management in an international business, regulators and banks view the holding differently – as a predictable and understandable player.
• Reduction of reputational risks
  A clear compliance risk map, scenario analysis, and properly structured sanctions and AML compliance reduce the likelihood of events that could undermine market trust.
• Manageability of growth
  When scaling into new markets, in M&A deals, or launching new products, the risk map becomes a filter:
  what can be done, where additional control is needed, where it’s better to refrain.

In one of COREDO’s cases for a group with assets in the EU and Asia, the implementation of a compliance risk map and a GRC platform:

• reduced the number of problematic requests from banks by more than half;
• reduced the share of manual transaction reviews thanks to better risk‑based calibration;
• allowed the regulator to approve the license expansion, relying on the provided risk assessment report and governance structure.

What you should personally consider

1. Does the group have a formalized compliance‑risk map, rather than a set of fragmented policies?
2. Do the board of directors and top management understand their risk appetite specifically in terms of compliance and sanctions?
3. Are your IT systems, AML/KYC and processes tied to a single GRC approach, or does each legal entity operate independently?

Команда COREDO за последние годы сопровождала холдинги в ЕС, Великобритании, Чехии, Словакии, на Кипре, в Эстонии, Сингапуре и Дубае – от регистрации юридических лиц и получения финансовых лицензий до построения комплексных комплаенс‑систем и risk map на уровне группы. Этот опыт убеждает меня в одном:

Your compliance‑risk map is essentially a strategic map of the holding’s resilience. And the more complex your geography and licenses, the more important it is that this map is not only drawn but actually works every day.

When in 2016 I launched COREDO, I had a very simple idea: international business should receive clear and predictable solutions, not a collection of disparate services from a dozen consultants in different countries. Since then the COREDO team has grown from a small consultancy to a partner that takes on the full cycle of tasks: from company registration in the EU, Asia and the CIS to obtaining financial licenses, setting up AML frameworks and long-term business support.

In this article I want to candidly and to the point examine three key questions that you, as an owner or chief financial officer, face in international projects:

• how to choose and structure jurisdictions for a company;
• how to approach licensing (banking, payment, crypto, forex and other licenses);
• how to build a sustainable AML system and a comprehensive support model so that the business runs smoothly, not from one inspection to the next.

And at the same time I’ll show how we solve these tasks in practice at COREDO: with numbers, case studies and concrete approaches.

Choosing a jurisdiction for business

Over the years I have become convinced: the mistake is not a “bad” country, but a misformulated objective. The same jurisdiction can be perfect for a fintech startup and completely unsuitable for a traditional trading business.

When a client comes to me with the request “just need a company in the EU”, I always slow the process down and ask five basic questions:

1. Where are the key clients and suppliers located?
   This affects VAT, permanent establishments and the risk of tax claims in the countries of presence.
2. Do you need access to licensing (financial services, crypto, payments)?
   Some countries offer more flexible regimes for fintech, others are more conservative but respected by regulators and partner banks.
3. What target level of substance (office, employees, directors) are you prepared to maintain?
   In the EU, requirements for economic presence are gradually tightening, and this must be honestly taken into account when planning the structure.
4. What constraints do you have on timelines and budget?
   Some jurisdictions register in a few days, others take months, especially when a financial license is involved.
5. What is the exit strategy: attracting an investor, selling a stake, IPO?
   For investors from the US, Europe or Asia, the choice of jurisdiction is often as important as the product.

COREDO registration process

At COREDO this has long been formalized as a “registration roadmap”. For the client, the process looks as transparent as possible:

1. Pre-project analysis
   • beneficiary checks (KYC, sources of income);
   • analysis of the business model for compliance with requirements of the local regulator;
   • preliminary structuring (holding, operating company, licensable entity).
2. Choosing the jurisdiction and company form
   • In the EU and United Kingdom this could be, for example, a private limited / s.r.o. / OÜ;
   • In Singapore and Dubai: local legal forms, which we structure according to the client’s objectives.
3. Preparation of corporate documents
   At COREDO we handle the articles of association, shareholders’ resolutions, corporate agreements, option programs if the business is investment-oriented.
4. KYC processing at banks and financial institutions
   This is where COREDO’s AML team experience comes into play: we pre-model the bank’s questions, prepare justification of sources of funds, the business plan, and financial forecasts.
5. Launch of operational activities and basic compliance setup
   • basic policies and procedures;
   • contractual framework (contracts, offers, privacy policies, AML disclaimers).

Case: European holding and Asian fintech

A few years ago an entrepreneur approached us who was already running an IT business in Asia and wanted to launch a licensed fintech product targeted at clients from the EU and Asia.

The solution developed at COREDO included:

• a holding company in one of the EU countries with a well-developed treaty framework for avoiding double taxation;
• an operational licensed structure in an EU country where a modern regulatory framework for payment institutions is available;
• a service center in an Asian jurisdiction with a strong technological ecosystem.

The COREDO team ensured the registration of all legal entities, the preparation of documents for banks, the structuring of agreements between companies, and the launch of AML procedures at the start. The client received a working structure within reasonable timeframes, without ‘paralysis’ caused by working with multiple consultants simultaneously.

Financial licenses: how to get approval

The strategically right license is not only access to the market, but also a level of trust from partners. At COREDO we systematically work with licenses in the EU, the United Kingdom, Switzerland, and certain countries in Asia and the CIS.

Typical requests include:

• licenses for payment institutions and electronic money;
• Banking licenses (including for niche players);
• licenses for investment services and forex;
• cryptocurrency licenses and registration of virtual asset service providers;
• Licensing of specialized financial institutions.

Why licensing is not just paperwork

My experience has shown: the likelihood of license approval drops significantly when the applicant treats the process as a “technical submission of documents”. The regulator looks not only at completeness, but also at:

• maturity of the business model;
• strength of the compliance culture;
• transparency of beneficial owners and sources of funds;
• quality of risk management and AML approaches.

Therefore, at COREDO we structure the work as a project cycle:

1. License readiness assessment
   The COREDO team analyzes the client’s current state: corporate structure, processes, presence or absence of AML policies, and the level of documentation.
2. Choice of jurisdiction and type of license
   Sometimes it makes sense to start with a registration regime or a limited license, and then scale. Our experience at COREDO has shown that a staged approach is often more effective than trying to “get the maximum” immediately.
3. Development of internal documents
   • risk management policies;
   • AML/CTF policies;
   • KYC procedures/KYB;
   • transaction monitoring methodologies;
   • governance documents (board of directors, committees, responsibilities of key persons).
4. Application submission and interaction with the regulator
   At this stage the COREDO team supports communication, prepares responses to inquiries, and adjusts documents in accordance with the regulator’s comments.
5. Post-licensing support
   The regulator expects reporting, internal audits, and policy updates. COREDO often remains a long-term partner, providing legal, compliance, and AML support.

License for a crypto provider

One of the illustrative cases is obtaining a license for a crypto company that serves clients from the EU and Asia.

The client approached requesting “a crypto license in one of the EU countries.” In our preliminary analysis we saw:

• a strong technological product;
• a poorly formalized AML component;
• lack of a clearly defined governance structure and role distribution.

The solution developed at COREDO included:

• choosing a jurisdiction with a clear regulatory practice for crypto services;
• establishing a legal entity and preparing a full package of corporate documents;
• development of AML policies, identification and monitoring procedures, and a client risk matrix;
• preparation of a business plan and financial forecasts in the format expected by the local regulator;
• support at all stages of dialogue with the regulator.

AML consulting: how to avoid risks to a license

AML has long stopped being only about banks. COREDO’s practice confirms that regulators and financial partners pay equal attention to payment companies, crypto projects, investment platforms and even some trading businesses.

What AML work entails

When we at COREDO say «AML consulting», we are not talking about a boilerplate 40-page policy that sits on a server “for show”. A real AML framework includes:

• risk assessment by countries, client segments, product types;
• development and implementation of KYC/KYB processes, including enhanced Due Diligence;
• methodologies for monitoring operations and detecting suspicious transactions;
• protocols for interacting with financial institutions and regulators;
• employee training and assignment of responsibility.

COREDO often gets involved in two typical situations:

• the business is being launched and AML processes need to be built in from scratch;
• the business is already operating but has run into problems: requests from banks, account freezes, regulatory remarks.

Common mistakes made by international companies

Experience has shown several common mistakes:

1. Copying someone else’s policies
   The document does not reflect the real business model, and the regulator quickly sees this from transactions and the client base.
2. Gap between legal documents and IT systems
   On paper the process is ideal, but in reality the system does not collect the necessary data and does not record decisions on risk cases.
3. Underestimating partner banks’ requirements
   A bank is often more conservative than the regulator. It is important to consider not only the law but also the internal policy of a particular financial institution.
4. Lack of regular review
   The AML policy was created at project launch and was not updated afterwards, despite changes in products, geography and transaction volumes.

The COREDO team builds AML projects to avoid these mistakes: it all starts with an honest description of the real business, not an idealized picture.

COREDO’s comprehensive client support

Many come to us for company registration or a license, and stay for years thanks to comprehensive support. This is a deliberate model: I originally built COREDO as a full-cycle partner, not a “one-off agency”.

• legal services and protection in the necessary jurisdictions (contracts, corporate law, dispute resolution with financial institutions);
• registration and protection of trademarks in EU countries, the UK and other regions;
• AML and regulatory compliance (policies, training, internal audits);
• accounting outsourcing and reporting tailored to the requirements of the specific country of registration;
• support for opening bank accounts and working with payment providers.

Fintech: multi-jurisdictional reporting

One of our clients is a fintech project with a licensed structure in the EU, operational teams in Asia and clients from various regions.

The COREDO team implemented the following for the client:

• registration of several companies in the EU and Asia;
• obtaining a financial license;
• implementation of AML policies and procedures;
• ongoing legal support (contracts with partners, user agreements, privacy policies);
• support in registering trademarks in key markets;
• coordination of accounting and tax reporting across different jurisdictions.

Thanks to a single team of consultants, the client does not waste resources synchronizing between lawyers, accountants and AML specialists in different countries. For me, this is the key measure of quality: when a business can focus on the product and growth, rather than “putting out” legal and regulatory issues.

How to choose a consultant

1. Focus and specialization
   It’s important that the consultant works systematically with international registration, financial licenses and AML, rather than treating it as “one of the services”.
2. Experience in relevant jurisdictions
   Company registration in the Czech Republic is very different from licensing in Singapore or structuring in Dubai. Practice is needed, not just theoretical knowledge.
3. Transparency of processes and communications
   You should understand what stage the project is at, what the risks are and the timelines. Here honesty is more important than optimistic promises.
4. Having a team, not a single “jack-of-all-trades”
   Registration, licensing, AML and legal support are different competencies. At COREDO, specialists of different profiles work on projects, and that is what provides depth.
5. Willingness to talk about difficulties
   If a consultant promises “quickly, without problems and questions from the regulator”, I would be cautious. A proper dialogue with the regulator always includes clarifications, revisions and hands-on work with documents.

In one recent inquiry a client put their expectations this way: “We need a partner who not only knows the AML procedure, but also understands how regulators and banks interpret it in practice.”

This request resonates well with my own position. Yes, COREDO actively uses industry knowledge, international standards and Russian and European approaches to AML, but it always keeps the boundaries of its competencies in mind.

If you are planning to enter a new region, are considering a license, or realize that AML and compliance processes in your company need to be reviewed, it is important to ask the right questions in time and build a system rather than patch individual problems. This is exactly the format in which I am used to working with COREDO clients and exactly how I see the role of a reliable long-term partner in international consulting.

As CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face the challenges of international business. Company redomiciliation: it is a strategic tool that allows transferring registration to a new jurisdiction while preserving the structure, minimizing risks and opening access to markets. In this article I will share a practical guide based on the experience of the COREDO team since 2016: from assessing the need to change jurisdiction to full support.

Important to understand: redomiciliation is not an emergency “rescue” measure, but a managed strategic step. In 2023-2025 we observe a steady trend: companies change jurisdiction not because of a crisis, but for scaling, preparing for investment or entering new markets.

In COREDO practice redomiciliation is increasingly used as part of M&A preparation, pre-IPO structures or restarting bank onboarding after refusals.

When a business needs redomiciliation

The decision to relocate a company does not happen by chance. Our experience at COREDO shows: entrepreneurs choose redomiciliation when the old jurisdiction limits growth.

In practice we identify several categories of business for which redomiciliation is not just advisable, but critically necessary:

• Financial and fintech companies that require Licensing (EMI, SPI, crypto, forex). Without a “white” jurisdiction the license is either impossible or economically impractical.
• Holdings with international flows facing bank refusals due to the origin of the old jurisdiction.
• IT and SaaS businesses preparing for venture financing — investors almost always require an EU/UK/Singapore structure.
• Companies from offshore or grey-list countries for which continued operation becomes toxic from the point of view of AML and sanctions.
• Export-oriented businesses that need the customs, tax and regulatory advantages of the EU.

Key signals for action:

• Sanctions risks block partnerships.
• Lack of economic presence in target markets reduces investment attractiveness.
• The political stability of the new jurisdiction promises corporate secrecy and protection of property rights.
• The need for AML compliance for financial licenses.

The financial effect of redomiciliation is rarely limited to taxes alone. In COREDO’s real cases the main increase in ROI is driven by:

• re-establishing banking services and reducing transaction costs;
• access to European and Asian payment systems;
• lower compliance costs thanks to a clear regulatory environment;
• increase in business valuation during investments (multiples in the EU are on average higher by 15–40%).

Choosing a jurisdiction: EU, Asia or new ones

choosing a jurisdiction for relocation is a balance between the business environment, regulatory requirements and business objectives.

The most common mistake is to view redomiciliation as a “technical transfer”, without changing the management and compliance logic. In such cases the company formally changes jurisdiction but retains the old risks.

Typical mistakes we encounter:

• transfer to the EU without readiness to disclose beneficial owners;
• lack of real substance when declaring activities;
• ignoring AML requirements at the preparation stage;
• choosing a jurisdiction based on taxes rather than on banking compatibility.

In the EU, for example, the Czech Republic, Slovakia, Cyprus and Estonia lead in simplified procedures for registering legal entities. Redomiciliation in the EU is ideal for business in Europe: beneficiary and director registers are harmonized here, and a white jurisdiction ensures compliance. A solution developed by COREDO helped a manufacturing company from Asia move to the Czech Republic: the client preserved the share capital structure, adapted option programs and gained access to EU markets without double registration.

Asia attracts relocations to Singapore or Dubai: free zones offer zero repatriation taxes, corporate secrecy and asset protection. For businesses in Asia this opens export to ASEAN. At COREDO we accompanied a redomiciliation to Asia for a logistics firm from the CIS: integrating AML services minimized risks, and the new structure raised investment attractiveness.

chil scaling the business with expansion into African markets.
Compare the options in the table for clarity:

Redomiciliation steps: from preparation to launch

The redomiciliation procedure for a business requires precision. Start with an audit: check good standing, the absence of litigation, bankruptcy or debts. Notify creditors; publication is mandatory in most jurisdictions. COREDO’s practice emphasizes: 80% of refusals are due to weak Due Diligence.

1. risk analysis: We assess sanctions risks, compliance and the impact on partners. We model scenarios showing how redomiciliation and compliance strengthen reputation.
2. Document preparation: We adapt the share capital structure, registers. For redomiciliation from an offshore jurisdiction to the EU we integrate AML compliance according to FATF standards.
3. Filing and approval: In the EU – through national authorities or EUIPO. In Asia, free zones speed up the process. The COREDO team handles legal support, including legal opinion.
4. Post-redomiciliation: Tax optimization, account openings, licenses. We ensure economic presence through local offices.

Banks and regulators assess:
– continuity of the legal history;
– absence of a «break» in the ownership structure;
– alignment of the new jurisdiction with actual activities;
– quality of AML documentation and risk assessment.

Licenses and AML when relocating

financial licenses: banking, crypto, forex, payments: open global opportunities. In Poland (NPI/SPI), Estonia or Singapore COREDO accompanies from application to compliance. Our experience has shown: a cryptocurrency license in the EU requires strict AML consulting, including KYC and monitoring.

Comprehensive support at all stages

COREDO offers company registration in the EU, outsourcing, trademark protection under the Madrid Protocol. We register in the Czech Republic, the United Kingdom, Greece, Switzerland – the full range. Legal support saves time: from trademark registration to dispute resolution.

Long-term consequences? Redomiciliation strengthens corporate governance, adapts option programs and increases investment attractiveness. For businesses from the CIS, relocation to the EU addresses compliance pain points, enabling scaling.

The COREDO team will provide transparent processes, time savings and reliable results. Your success: our mission since 2016.

AML for investment companies in the Czech Republic in 2025 is no longer a formality, but a full operational framework that largely determines whether you will obtain a license, retain access to the European financial infrastructure and whether you will actually be able to scale the business in the EU, Asia and the CIS.

Over the past years I have seen funds with strong products and investment companies lose momentum, clients and money only because they underestimated three things: the real AML requirements, the expectations of regulators (FAU and ČNB) and the need to think of AML as part of the business‑model rather than a “legal overlay”.

AML in the Czech Republic for investment companies

Czech AML‑regulation for investment companies is based on several levels:

• Act No. 253/2008 Sb.
  The basic anti‑money laundering law, which sets out obligations for customer identification, identification of beneficial owners, transaction monitoring and reporting suspicious transactions (SAR/STR).
• EU AML Directives (AMLD) and FATF recommendations
  They define the framework of the risk‑based approach: a risk‑oriented approach that has become the key compliance philosophy for investment companies in Europe.
• Supervision and practice:
  • Financial Analytical Office (FAU): the Czech financial intelligence unit and the primary recipient of SAR/STR.
  • Česká národní banka (ČNB) – supervises banks, investment companies, licensed financial services, funds.

At the theoretical level everything is clear, but in reality what matters is not the names of the acts, but how this is reflected in everyday tasks: from investor onboarding to the daily monitoring of the portfolio and transactions. That’s what comes next.

New AML requirements for investments in the Czech Republic — 2025

From 2024–2025 I see three key blocks of changes that affect investment companies in the Czech Republic:

Appointment and registration of an AML contact in the FAU

For a number of companies falling under Act No. 253/2008 Sb., a requirement has been introduced to appoint an AML contact person and register them with the FAU by the established deadline (for some entities, by February 1, 2025).

Tightening of beneficiary identification

AML compliance in the Czech Republic is no longer limited to “collecting a passport and an extract”. The regulator’s real focus is on:

• identifying the Beneficial Owner (the ultimate beneficiary), taking into account complex ownership chains and trust structures;
• regular review checks (beneficiary verification frequency), not one-time KYC at onboarding;
• accuracy and timeliness of data in the Beneficial Ownership Register (corporate transparency).

Increasing automation and digitalization of AML

In the Czech Republic and across the EU, AML is increasingly shifting towards:

• digital identification of clients (e‑ID, eKYC, remote identification);
• integrations with state and commercial databases;
• the requirement for an audit trail and data lineage for blocking, escalation and SAR decisions.

KYC and due diligence for investments in the Czech Republic 2025

Basic KYC and risk‑based approach

Today it’s not enough just to collect a set of documents. A risk‑scoring model is important:

• client assessment (investor type, jurisdiction, PEP status, reputation);
• product assessment (fund type, liquidity, presence of crypto assets);
• channel assessment (online onboarding, via intermediaries, partner networks);
• geography assessment (EU, Asia, CIS, high‑risk countries).

Enhanced Due Diligence for PEPs and high‑risk jurisdictions

For Politically Exposed Persons (PEPs) and clients from high‑risk countries, formal document collection does not work. You need:

• Source of Funds and source of wealth analysis;
• detailed screening against sanctions and adverse media lists;
• understanding how the client’s profile aligns with your investment strategy.

Registration of the AML contact at FAU: checklist

A typical approach that the COREDO team has followed in recent projects:

1. Determining the role and authorities of the AML‑contact
   • access to all AML data and systems;
   • the right to escalate cases to top management;
   • participation in approving the AML policy.
2. Preparation of the AML‑contact dossier
   • a CV, evidence of experience in compliance / jurisprudence / finance;
   • confirmation of absence of conflicts of interest;
   • a description of how their role is integrated into the model three lines of defence.
3. Registration with the FAU
   • filling out the form and submitting the contact person’s data;
   • setting up internal procedures so that all SARs/STRs go through the designated channel.
4. Integration of the AML‑contact into the operational framework
   • participation in KPI reports;
   • coordination of AML audits and interaction with ČNB (if the company holds licenses).

Transaction monitoring and AI in AML at an investment company

investment company in the Czech Republic, especially one that works with a multi-jurisdictional portfolio and high-frequency operations, cannot rely only on “check-lists in Excel”.

• a rules set (rules engine) by types of operations:
  • incoming/outgoing transfers;
  • subscription/redemption of fund shares;
  • operations with crypto-assets;
• risk-scoring models for clients and transactions;
• escalation and case management system (case management).

AI and ML models against false positives

One of the main pains clients brought to COREDO was a high percentage of false positives: the system “clogs” the compliance department with false alerts, people burn out, and real risks get lost in the overall noise.

Data lineage, audit trail and GDPR

Modern AML compliance is unthinkable without:

• data lineage, understanding where data came from, how it was transformed, and on what basis the decision was made;
• audit trail, logs of all actions, status changes, escalations;
• a proper data retention policy compatible with GDPR requirements and the AML law regarding retention periods.

VASP and crypto-assets in the Czech Republic

A separate layer of issues — requirements for VASP and the crypto industry. If a fund:

• invests in crypto‑projects;
• works with tokenized assets;
• itself obtains VASP registration,

then the regulator expects:

• compliance with specific AML‑requirements for VASP;
• having an Internal AML officer with experience specifically in crypto;
• meeting minimum capital requirements (ranges are typically around €50k–€150k depending on the model and services);
• physical presence: an office, a local director, clear governance.

AML audit and interaction with the Financial Analytical Unit / Czech National Bank

Even mature teams sometimes encounter “bottlenecks”: outdated procedures, outdated risk‑models, weak PEP controls, manual processes without an audit trail. In such situations, not only diagnosis is important, but also a regulatory remediation plan, a plan of corrective measures.

1. Gap‑analysis:
   • comparison of current procedures with Act No. 253/2008 Sb., EU directives and local guidelines;
   • assessment of actual implementation (not just the presence of documents).
2. Risk prioritization:
   • quick fixes (quick wins) affecting daily operations;
   • medium‑term changes (rewriting policies, revising the risk‑model);
   • long‑term changes (IT‑architecture, automation, integrations).
3. Regulatory remediation plan:
   • step‑by‑step plan with deadlines and KPIs;
   • allocation of responsibilities: AML‑officer, CIO, lawyers, business‑units;
   • preparation of the rationale for dialogue with FAU/ČNB.
4. preparation for AML‑audit:
   • testing a sample of clients and transactions;
   • simulating FAU requests;
   • team training (including compliance culture and employee training).

Technologies, ROI and TCO in an AML Project

I usually suggest looking at three levels:

TCO (Total Cost of Ownership)

Owning an AML solution includes:

• software licenses and access to external databases (sanctions, PEPs, adverse media);
• integrations (core systems, CRM, banking interfaces, API with FAU: where possible);
• internal resources (IT team, analysts, AML officer);
• training and an annual AML audit.

Economic impact

The ROI of an AML project is not always expressed solely in direct savings. It more often manifests in:

• reducing operating costs through:
  • reducing the share of manual checks;
  • reducing false positives;
• speeding up investor onboarding, especially from the EU, Asia, and the CIS;
• reducing the likelihood of:
  • fines and sanctions;
  • account blocks by banks and custodians;
  • loss or non-renewal of a license.

AML model for the EU, Asia and the CIS: how to build it?

Many COREDO clients start with a Czech license and infrastructure, and then expand into other jurisdictions: the EU, Asia, the Middle East. It is a mistake to build local AML processes “from scratch” in every country.

• create a single AML framework, based on:
  • EU requirements (AMLD);
  • FATF standards;
  • best practice of the risk‑based approach;
• and layer local requirements (Singapore, Dubai, certain CIS countries) as add-ons.

Practical roadmap for investments in the Czech Republic

Summarizing COREDO’s experience, a practical roadmap for an investment company in the Czech Republic that wants to be ready for AML 2025 requirements and beyond looks like this:

1. Map of regulatory obligations
   • identify which specific articles of Act No. 253/2008 Sb. apply to you;
   • document obligations to the FAU and ČNB.
2. Appointment and registration of an AML‑contact
   • select a real, not a formal, responsible person;
   • register them with the FAU and integrate them into the three lines of defense.
3. Review of KYC / EDD and the beneficial ownership framework
   • ensure that Beneficial Owners are correctly recorded both in the system and in the register;
   • implement a clear periodic verification cycle for beneficiaries.
4. Modernization of transaction monitoring
   • implement or update scenario‑based monitoring;
   • if necessary, add AI/ML and XAI to reduce false positives;
   • set up a SAR/STR workflow with clear SLAs.
5. GDPR and data retention
   • review the policy on retention periods and access rights;
   • ensure a transparent audit trail and data lineage.
6. External AML‑audit and remediation‑plan
   • conduct an independent assessment;
   • prepare and implement a remediation plan;
   • prepare a readiness package for FAU/ČNB inspections.
7. Scaling strategy
   • synchronize the Czech AML framework with plans to expand into the EU, Asia, Dubai, and Singapore;
   • embed compliance by design into new products and funds.

As the CEO and founder of COREDO, I see entrepreneurs from Europe, Asia and the CIS facing the challenges of international expansion every day: from registering companies in new jurisdictions to obtaining financial licenses and ensuring strict AML compliance. Our experience since 2016, covering the EU, the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai, confirms: success is built on a deep understanding of local regulations, such as 6AMLD and AMLR, and the implementation of practical solutions. In this article I will outline the key steps based on real cases from the COREDO team, so that you get a clear guide to minimizing risks and accelerating processes.

I’ll add an important caveat from COREDO’s practice: “negative outcome” during bank onboarding or licensing is almost never related to a single document. It is always a combination of factors: ownership structure + source of funds + client risk profile + quality of monitoring + manageability of compliance. Therefore, below I will analyze not the “theory of AML”, but a set of concrete artifacts that are actually checked: (1) EU banks when opening an account/correspondent account, (2) regulators during licensing, (3) auditors during an AML audit/inspection. And most importantly: I’ll show how to compile these artifacts so they work as an evidentiary basis, not as a “folder for the sake of a folder”.

Choosing a Jurisdiction: Taxes and Compliance

In reality a bank judges a jurisdiction not by the “tax rate” but by implementation risk and how controllable it is. Common rejection triggers I regularly see:

• multi-layered ownership chain without clear business logic (especially if there are offshore “layers”);
• “investor/founder” with an opaque source of wealth (high income without a provable accumulation history);
• mismatch between the geography of the funds and the geography of the business (for example, a company in the EU while the money “lives” in Asia/Middle East without explanation);
• nominal substance (there is an address but no management function and no verifiable operational reality);
• lack of a clear model: who the client is, how you make money, what the risks are and who controls them.

The COREDO team recently assisted a fintech startup from Asia with registration in Lithuania: we integrated online verification with the government platform, ensuring AML audit compliance in Lithuania and opening an account in a local bank within 3 weeks.

The Bank of Lithuania AML in 2025 strengthened priorities: mandatory transaction monitoring and PEP monitoring for all new entities. The solution developed at COREDO included preliminary due diligence for international transfers, minimizing predicate offences risks and ensuring smooth onboarding.

Mini-document package that speeds up banking onboarding in the EU (what they actually ask for)

1. Ownership pack: organizational structure (diagram), UBO register, corporate documents for each “tier” of ownership.
2. Source of Funds / Source of Wealth pack: origin of capital (contracts/dividends/sale of assets), tax returns/audit (if any), statements, accumulation logic.
3. Business model pack: products, target markets, client types, payment geography, calculation of expected turnover, list of key counterparties (top-10), money flow diagram.
4. Compliance pack: AML policy, Risk Assessment (methodology + result), sanctions/PEP screening, EDD procedure, SAR workflow, training.
5. Operations pack: substance (office/people/functions), contracts with providers (KYC/screening/monitoring), description of IT environment and access.

Obtaining Financial Licenses

Obtaining licenses for crypto, banking services, forex or payments is not a formality but a demonstration of resilience. In Lithuania the Bank of Lithuania AML requires a business plan with SAR reporting and a risk-based approach before issuance.

Practically speaking: for the regulator and the bank the “business plan” is not a pitch but a test of how well risks are managed. At COREDO we compile it in the format:

• Product scope: which services you provide and which you do not provide (especially important for crypto/payments).
• Customer risk: who your customer is (individual/legal entity), which segments are high-risk, what restrictions (for example, bans on certain jurisdictions / certain industries).
• Transaction risk: what types of transactions, what limits, what triggers enhanced checks.
• Control design: sanctions/PEP screening, EDD procedures, transaction monitoring, case management, SAR/STR reporting.
• Governance: who is the MLRO, who they report to, how the “three lines of defence” works, how often the Risk Assessment is reviewed.
• Outsourcing & vendor risk: which functions are with providers, what SLAs, how you control the quality of data and models.

Our experience at COREDO with a fintech client showed: integration of AI-driven AML scoring increased approvals from 60% to 95%, speeding up the process by 40%. We conducted compliance stress-testing by simulating peak transactions, which convinced the regulator of readiness for 6AMLD implementation.

Realistic timeline for AML implementation

• First 30 days: Risk Assessment, basic policies (CDD/EDD/sanctions), appointment of MLRO, start of screening, initial client and country risk matrix.
• 60 days: setup of transaction monitoring (scenarios, thresholds, alerts), implementation of case management, staff training, first test SAR/STR reports “for internal use”.
• 90 days: tuning false positives/false negatives, regular reports to the board of directors, internal audit plan, vendor quality control, an “audit trail” of decisions.

AML consulting: audit and monitoring

AML compliance Lithuania: a priority for everyone entering EU markets. AML audit Lithuania includes CDD, EDD and checks against FATF recommendations. The COREDO team conducts it in two stages: diagnosis (predicate offence risks) and optimization (automation). In a project for a bank we implemented transaction monitoring Lithuania with AI, providing performance metrics: coverage 99%, response time <1 min.

Which monitoring metrics banks and auditors really “love”

• Alert-to-case ratio: how many alerts turn into cases (if almost all alerts are “off” — the system is noisy).
• Case cycle time: average time to close a case and share of overdue cases.
• SAR/STR quality: share of returns/clarifications from the FIU (if such signals exist) or internal QA scoring of quality.
• False positives for key scenarios and causes (threshold/data/rule/client behavior).

At COREDO we almost always start by tuning the “top-3 noisiest scenarios” — this quickly reduces the team’s load and improves investigation quality without loss of control.

To prepare for an AML audit/inspection, it’s important to understand the mechanics of the review. The auditor almost always follows the logic:

• Design — do you have policies/procedures, and do they correspond to the risks.
• Implementation — do staff actually perform the procedures (and are there traces of this in systems).
• Effectiveness — do controls deliver results (metrics, tests, cases, adjustments).

KYC Lithuania is evolving toward eKYC standards with eIDAS identification: onboarding conversion increases by 50% without loss of security. Our approach: real-time PEP screening plus SAR reporting Lithuania according to Bank of Lithuania templates. For fintechs we minimized risks by integrating AI into Lithuanian banks’ AML systems, which increased efficiency by 35% and reduced fines from AMLA.

6AMLD Lithuania focuses on criminal liability of directors: COREDO recommends an AML officer on the board. In a crypto-business case we performed a stress test of AML compliance, identifying vulnerabilities in CFT, and adjusted policies to ensure protection against predicate offences in international transfers.

Critical moment of 2026: MLRO/AML Officer is not a “signature person”. Banks and regulators look at the independence of the function: who the MLRO reports to, can they stop a client/transaction, is there direct access to senior management, how conflicts of interest are recorded. We usually implement a simple but strong arrangement:

• The MLRO has the right to freeze/hold transactions until the investigation is completed;
• decisions are recorded in the case-management system with an audit trail;
• monthly MLRO report to management/board: risks, trends, incidents, scenario adjustments.

Support: from registration to scaling

COREDO offers a full cycle: registration, licensing, AML-compliant EU banks, account opening and reporting. In the EU banks require proof of business reputation and a business plan — we prepare them with ESG criteria. For Asia we add cryptographic security protocols.

To be as concrete as possible, here is a typical set of deliverables that we provide to the client in turnkey projects:

• Risk Assessment (methodology + final risk matrix for clients/products/countries/channels);
• AML/CFT Policies & Procedures (CDD/EDD/sanctions/PEP/monitoring/SAR);
• Onboarding playbook for the bank (structure, funds, business logic, answers to standard questions);
• Monitoring setup (scenarios + thresholds + escalation rules + investigation templates);
• Training pack (slides/tests/training log);
• Evidence pack for the audit (case examples, logs, QA reports, decision records);
• Remediation plan for 30/60/90 days if the audit/bank found gaps.

The AML regulator in Lithuania in 2025 emphasizes automated transaction monitoring — we integrate it with existing systems to ensure seamless scaling.

Typical reasons for bank refusals or compliance delays

1. Weak source of wealth: funds exist, but there is no provenance story. Solution: compile a narrative + documents + transaction sequence.
2. Insufficient substance: “a shell office”. Solution: demonstrate management function, contracts, roles, processes.
3. Unaddressed high risk: no EDD logic for PEP/sanctions/high-risk countries. Solution: EDD matrix + limits + controls on review frequency.
4. Monitoring “in a vacuum”: rules exist, but no cases/metrics/QA. Solution: evidence pack + performance indicators.
5. Too broad business model: “we do everything”. Solution: narrow the scope at the start and expand after gaining the bank’s trust.

Strategic ideas for growth

• Conduct sanctions due diligence on founders before submission; reduces rejections by 80%.
• Invest in AI for unusual patterns detection: ROI 200–300% per year.
• Prepare for AMLA focus: quarterly stress tests.
• For eKYC and digital onboarding use EU standards: preserves conversion during growth.

Questions clients commonly ask before entering the EU/Lithuania

One of the key innovations of 2026 is the mandatory digital identification of founders and the use of electronic signatures at all stages of company registration in the EU. According to the European Commission, this reduced the average time for remote registration of legal entities by 35–50%, and the number of rejections due to forged documents and nominee structures fell by more than 40% compared to 2022–2023.

The focus has shifted from the question “what has been filed in the register” to questions “who is behind the structure”, “how is governance formed” and “how transparent is the source of capital”.

That is why today the speed of company registration in the EU and the subsequent bank onboarding directly depend not on the jurisdiction as such, but on the quality of digital identification, the consistency of the corporate structure and the readiness of the business for KYC/AML checks at the level of the individual, not the paper.

New requirements for company registration in the EU in 2025

In 2025, company registration in the EU underwent a number of fundamental changes affecting both the documents for company registration in the EU 2025 and the procedure itself. These changes were the result of accumulated problems of previous years: the use of nominee structures, fictitious directors and opaque ownership chains. The EU is consistently closing these loopholes by unifying requirements between countries and reducing opportunities for regulatory arbitrage. COREDO’s practice confirms: now most EU countries require not only the standard set of incorporation documents, but also proof of source of funds, KYC questionnaires, and disclosure of information about ultimate beneficiaries in accordance with the new 2025 beneficiary disclosure requirements.

Comparative table of changes in the EU and Asia

Documents for company registration in the EU and Asia in 2025

COREDO’s experience shows that in 2025 the standard package of documents for registering a company in the EU includes:

• founding agreement and articles of association,
• proof of registered address,
• digital identification of the founders (video verification, eIDAS, BankID),
• KYC questionnaires and information about beneficial owners,
• proof of source of funds,
• electronic signatures.

Regulators expect a pre-built AML framework for them, not reactive implementation of procedures after registration.

Recommendations for registration

• Prepare a complete set of incorporation documents taking into account the new requirements for disclosing beneficiaries.
• Complete digital identification of the founders and ensure electronic submission of documents. In practice this means involving lawyers and compliance specialists before filing the documents, not after receiving requests from registrars or banks.
• Appoint a compliance officer and integrate AML services into business processes. In some jurisdictions the presence of a compliance officer is viewed as an indicator of business maturity and directly affects the speed of application review.
• Choose a jurisdiction taking into account industry requirements, tax incentives and the possibility of remote registration.
• Conduct Due Diligence on founders and partners, and check against sanctions lists.
• Prepare a business plan and the documents required to open corporate accounts at European or Asian banks.
• Implement ESG criteria and automate corporate reporting. ESG is increasingly used not only by investors but also by banks as an additional filter when assessing a company’s long-term risks, especially in the EU.

Registration in the EU — it’s no longer about documents, it’s about trust

Companies that continue to approach registration formally face the same problems: lengthy timelines, repeated requests, banks refusing to open accounts and the need to “redo” structures after registration. Those who from the start design their corporate model taking digital and AML requirements into account complete the process 2–3 times faster and without reputational risks.

Why COREDO

The COREDO team has supported international business since 2016 at the intersection of company registration, bank onboarding, licensing and AML compliance. We don’t just register legal entities – we design structures that withstand scrutiny from registrars, banks and regulators.

We:

• choose a jurisdiction based on your business model, not ‘from a list’;
• prepare corporate and beneficial ownership structures to meet 2025 requirements;
• support digital identification, eIDAS and electronic signatures;
• proactively eliminate the risk of refusals from banks and regulators;
• work with the EU, Asia and the CIS as a single ecosystem, not as fragmented markets.

If you are planning to register a company in the EU, access European banks or pursue further licensing, start with the right architecture, not with fixing mistakes.

Contact the COREDO team – we’ll analyse your case, show risks before you submit documents and build a solution that will work not only today but also after the first banking review.

As the CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face the challenges of international expansion: from registering companies in new jurisdictions to obtaining financial licenses and ensuring AML compliance. Our experience at COREDO since 2016 covers the EU (including the Czech Republic, Slovakia, Cyprus, Estonia), the United Kingdom, Singapore and Dubai, where the team has carried out hundreds of projects on structuring, licensing crypto and payment services, as well as AML audits. In this article I will explain how to turn these difficulties into strategic advantages, drawing on practical cases and proven approaches.

The absence of this logic most often leads to negative audit findings, even when the documents are correct.

Choosing a jurisdiction for registration and bank onboarding

Registration of a legal entity abroad is not just a formality but a foundation for scaling. In 2025, attractive options remain Cyprus, the UAE (especially Free Zones), Singapore and Estonia: here low bureaucracy, remote registration and access to EU/Asian markets combine. For example, in Cyprus the COREDO team recently registered a holding for a CIS client in 5 days, with a full document package including address verification and beneficiary data. This allowed the client to obtain residency through business investment and open an account in an EU bank without delays.

How banks assess a jurisdiction during an AML audit

Cyprus, Estonia and Singapore are perceived as “transparent” jurisdictions with clear AML/CFT rules. At the same time, structures in UAE Free Zones without substance automatically fall into the high-risk segment, regardless of business volume.

At COREDO we always build this logic from the start so that AML audit does not turn into a process of excuses.

Why a lack of substance is a key trigger for a negative AML audit

Lack of real presence is one of the most frequent reasons for negative AML audit conclusions. Banks view such structures as a tool to circumvent controls, even if the business is legal.

Checklist for registration in the EU and Asia (based on COREDO projects):

• Define the purposes: holding, trading or a license (crypto/payments).
• Collect documents: passport, proof of address, UBO data (source of funds, PEP declaration).
• Check substance: office, local director (for the EU: mandatory since 2024).
• Prepare for KYC compliance: banks require a full ownership chain.

Time savings are real — the solution developed at COREDO reduces the process to 2 weeks for Cyprus or Dubai.

Obtaining financial licenses: crypto and payments

Licensing: the next step after registration. In the EU (Estonia, Cyprus) crypto licenses are issued under MiCA, in Singapore: MAS, in Dubai: VARA. The COREDO team conducted an AML audit for a client before applying for a payment license in Lithuania: we identified vulnerabilities in transaction monitoring and fixed them within 30 days, which sped up approval by 3 months. Preparation for an AML audit includes an AML risk map and a self-assessment according to FATF standards – this is the standard for bank onboarding.

Why an AML audit is a mandatory step before licensing

At COREDO we use a preliminary AML audit as a tool to accelerate licensing: the regulator sees that the company understands the risks and controls them, rather than reacting after the fact.

For forex and banking services in the Czech Republic or Slovakia the key: a risk-based AML approach. COREDO’s practice confirms: the integration of GNN (graph neural networks) and FHE (fully homomorphic encryption) into an AML/CFT program increases audit ROI up to 300% through monitoring automation. A client from Asia received a crypto license in Estonia after our external AML audit, where we implemented digital onboarding via eIDAS and the MAS framework, reducing verification time to 3 weeks.

When AML technologies actually work

Using AI in AML makes sense only with correctly built process logic. Automation does not fix mistakes, it scales them.

AML compliance for a sustainable business

Company AML audit – not an option, but a necessity before bank onboarding. Banks check source of funds, PEP status and sanctions lists. Our experience at COREDO has shown: ignoring GNN in AML leads to rejections in 40% of cases, while implementation automates detection of vulnerabilities.

Typical reasons for a negative AML audit

In COREDO’s experience, negative AML audit findings are most often related to the following factors:

• absence of a documented decision trail;
• formal approach to EDD;
• mismatch between risk scoring and the client’s real profile;
• weak integration of AML and IT systems.

How to conduct an AML audit in 30 days? Steps from COREDO’s practice:

1. Self-assessment of risks: create an AML risk map, monitor FATF lists.
2. External AML audit: check transactions, whistleblowing procedures and GDPR integration with AML.
3. Corrective action plan: automate reporting, implement transaction monitoring in the AML/CFT program.
4. legal opinion on compliance: confirms readiness for licensing.

Realistic timeline for a 30-day AML audit

In reality, a 30-day AML audit is possible only with a clear work structure:

• days 1–5: data collection and interviews with key personnel;
• days 6–15: transaction analysis, KYC, sanctions and PEP;
• days 16–25: development of a remediation plan;
• days 26–30: report preparation and legal opinion.

At COREDO we use precisely this format, which allows companies to approach banks and regulators with a ready position.

For FinTechs from the CIS: integrate eIDAS onboarding for the EU and MAS Digital Onboarding for Asia.

Support: from audit to scaling

COREDO provides a full cycle: registration, licenses, KYC compliance, annual AML audit. We hire local lawyers and accountants, and prepare CARF reporting (automatic data exchange).

The link between AML audit and scaling a business

A mature AML system directly affects a company’s ability to scale. Banks, investors and partners view results of an AML audit as an indicator of how well the business is governed.

In COREDO projects, it was precisely a successful AML audit that allowed clients to enter new markets without repeat checks and delays.

Checklist for a company’s readiness for an AML audit

Before starting an AML audit, the company must ensure that:

• the ownership structure is transparent;
• sources of funds are verified;
• the AML officer is involved in operational processes;
• IT and AML are integrated;
• employees are trained in the risk-based approach.

Important to understand: entering international markets is not a one-off company registration, but a business architecture. The mistake of most entrepreneurs is that they treat registration as a “legal start” rather than as the basis for bank onboarding, licensing and further scaling.

Choosing a jurisdiction for business

There is no universal “best” jurisdiction in international practice — there is one suited to a specific business model. At COREDO we always start with classifying the business:

• IT / SaaS – priority for Estonia, Cyprus or the United Kingdom with a focus on IP structure and venture appeal;
• Trading and brokerage – Cyprus, Czech Republic, United Kingdom with licenses and access to EU payment rails;
• FinTech / payments – Lithuania, Singapore, UAE with strict AML and capital adequacy;
• Crypto / Web3 – MiCA jurisdictions in the EU or VARA in Dubai;
• Holdings and investments – Cyprus, Netherlands, UK with a network of DTT agreements.

Consider the tax regime, reporting requirements and geopolitics.
In practice, it is the bank onboarding that becomes the main “bottleneck” of international business. EU and Asian banks assess not only the country of registration, but also:

• the source of funds;
• transparency of the beneficial ownership structure;
• the economic rationale of the operations;
• the company’s readiness for AML controls.

Steps to register a company

Registration is not bureaucracy, but a strategic process.
The most common registration mistakes for companies abroad that the COREDO team encounters:

• registering “in one’s own name” without considering future investors or banks;
• lack of substance for declared international activity;
• template articles of association without corporate logic;
• ignoring AML requirements before applying for an account or license.

The solution developed by COREDO simplifies it to 4 stages.

Stage 1: Document preparation. Collect the founder’s passport, proof of address, and questionnaire. In jurisdictions like the United Kingdom or Estonia an online form is sufficient; in Dubai – notarised copies. Our experience shows: document errors can extend the process by weeks. We always verify translations and the apostille under the Hague Convention.

Stage 2: Submission and approval. In the Czech Republic submit to the Commercial Register online, in Singapore – via ACRA (1-2 days). For branches of foreign entities, as in the EU, prepare a board resolution and the articles of association. The COREDO team has completed 50+ such registrations, including the notification procedure in Slovakia, where we simultaneously make changes to the registers.

Stage 3: Bank account and address. Open a corporate account – in Estonia through LHV, in Dubai at Emirates NBD. Rent a registered office: in Cyprus from 500 € / year. COREDO’s practice confirms: integrate this with registration to avoid delays.

Stage 4: Post-registration. Obtain VAT, EIN, or an equivalent. In Singapore, GST registration. We support through to full operational readiness, opening acquiring for international payments.

Obtaining financial licenses: crypto and payments

Licenses are a barrier to entry, but also a competitive advantage. From an economic point of view, a license is not only a regulatory requirement but also a factor in increasing business value. In our observations, having a license increases a company’s valuation on average by 20–50%, and for FinTech and Crypto – up to 2–3 times compared to unlicensed counterparts.

Moreover, a license simplifies:

• Opening bank accounts;
• connecting to international PSPs;
• attracting institutional investors;
• scaling in other jurisdictions.

At COREDO we specialize in crypto (VASP in Estonia under MiCA), banking (EMI in Lithuania), forex (FCA in the UK) and payments (MAS in Singapore).

Process: regulator analysis (CySEC requires capital adequacy 730k euros), business plan, AML/CTF framework, fit-and-proper tests. Our approach is modular: we develop policies according to FATF Recommendation 15, integrate KYC/EDD. The COREDO team has obtained 20+ licenses, including a payment license in Dubai (DFSA) for a client from the CIS. We accelerated the process by 40% by providing ready-made templates compliant with PSD2 in the EU.

AML Consulting: protection against risks in real time

AML: not a formality, but a foundation of trust. Many entrepreneurs view AML as a cost. However, in reality a properly built AML framework reduces operational risks and accelerates growth.

Companies with transparent AML:

• experience fewer account blocks;
• pass bank checks faster;
• expand into new countries more easily;
• are protected from reputational losses.

Comprehensive support at all stages

COREDO offers end-to-end: from registration to annual compliance. Save time: we take on the routine — reporting, renewals, tax optimization (for example, IP-box in Cyprus with 2.5% tax). Trustworthy advice: choose a partner with 8+ years of experience in your regions.

At COREDO we build long-term relationships, turning challenges into opportunities.

As CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face the challenges of international expansion: from registering companies in new jurisdictions to obtaining financial licenses and strict compliance with AML requirements. Our experience at COREDO since 2016 covers hundreds of projects in the EU, including the Czech Republic, Slovakia, Cyprus, Estonia and Lithuania, as well as Singapore and Dubai. We help turn these complexities into competitive advantages, ensuring transparency, speed and full compliance.

How the Bank of Lithuania Views Investment Companies in 2026

Why Lithuania Leads in Investments in 2026

Why AML in Lithuania is stricter than in most EU countries

Typical mistakes of investment companies in KYC in Lithuania

The role of the MLRO in investment companies: formality or control

AML officer and MLRO in investment firms

AML for investment companies with crypto exposure

KYC and compliance for investment companies

• Step: Automate digital identification via eKYC with cryptographic protocols.
• Step: Implement source-of-funds verification for investments in Lithuania, checking the transaction chain for compliance with CFT procedures.
• Step: Appoint an AML officer for investments and set up automated AML transaction monitoring in Lithuania with anti-fraud systems.

How the Bank of Lithuania assesses the effectiveness of an AML system

What happens after a negative AML inspection in Lithuania

AML systems: risks and ROI

The connection between AML and scaling an investment business

Comprehensive support: registration and licensing

Checklist for an investment company before a Bank of Lithuania inspection

• the ownership structure is transparent and justified;
• sources of funds are documented;
• the AML officer is actively involved in processes;
• the IT infrastructure complies with DORA;
• the AML and business strategies are aligned with each other.

Partnership with COREDO

As CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face challenges when entering international markets. Our experience since 2016 in company formation, obtaining financial licenses and AML consulting allows the COREDO team to turn these complexities into strategic advantages. In this article I will break down the key aspects based on practice: from choosing a jurisdiction to the assessment by EU banks of investment structures, so that you get a clear guide for your business.

How EU banks really view investment structures

In practice this means that even a correctly registered company can be refused if the bank does not understand the sources of income, the role of the SPV or the economic rationale for the risk allocation. At COREDO we always start from the bank’s perspective, not the applicant’s — this is exactly what shortens account opening times.

Choosing a jurisdiction: speed, taxes, EU banks

Registering a company abroad begins with analyzing your goals, whether seed venture projects or creating investment structures for scaling. The COREDO team always assesses criteria: level of bureaucracy, tax rates, possibility of remote onboarding and access to banking services. In 2025 the leaders remain Cyprus, UAE (Dubai), Estonia and Singapore: jurisdictions where we have successfully registered dozens of companies.

Why, for EU banks, a jurisdiction is not about tax but about a risk profile

For example, Cyprus is perceived by EU banks as a predictable jurisdiction with a clear judicial system and a mature regulator, whereas structures with similar taxes outside the EU require significantly more Due Diligence. That is why at COREDO we often use Cyprus or Estonia as a “trust anchor” for international groups.

In Cyprus, for example, the process takes 5–10 days: you submit the constitutional documents, proof of address and data on beneficial owners. This opens the doors to European regulation with flexible offshore advantages, including residency through investment. COREDO’s practice confirms: for holding structures a corporate tax of 12.5% is ideal here without double taxation thanks to treaties with 60+ countries. In Dubai Free Zones provide 100% foreign ownership and zero corporate tax, with registration in 3 days — we recently launched a client’s payment company exactly like that, enabling integration with EU banks via passporting.

Substance as a key factor in banks’ assessment

Since 2024 EU banks practically do not consider investment structures without confirmed substance. It is not only about an office or a director, but about the actual center of decision-making.

Estonia and Singapore are suitable for fintech: e-Residency allows online registration, and we help meet substance requirements (a real office, local staff) since 2024, when they were tightened. Our approach: first Due Diligence of your current structure, then selecting a jurisdiction based on ROI calculations and risks. A client from Asia, for example, registered an SPV in Cyprus for Series A venture financing, minimizing risk isolation and obtaining an EU bank account in 2 weeks.

How a license affects the banking decision

That is why structures with an EMI, AIFM or VASP license pass bank onboarding faster than non-regulated investment companies. At COREDO we use Licensing as a tool to accelerate banking decisions, not only as a regulatory requirement.

Obtaining financial licenses: crypto and payments

financial licenses – the next step where many lose time. The COREDO team specializes in crypto licenses (VASP in Cyprus), banking, forex and payment (EMI/MFI in the EU). Regulatory requirements such as AIFMD for EU investment funds we review at the planning stage.

For AIF/UCITS or ZISIF §15 in Czechia/Slovakia a minimum capital is required (from 125,000 EUR), a transparent ownership structure and an AML check. COREDO’s practiceshows: EU banks approve faster if ESG criteria are integrated immediately: the share of green assets under the EU Taxonomy.We helped the client’s fund move from ZISIF §15 (asset limit 100 mln EUR) to an AIFMD umbrella fund, securing EU passporting and access to qualified investors without changing the regime.

What EU banks check first in investment funds

When assessing investment funds, EU banks focus on three aspects:

• transparency of ownership and control;
• alignment of the investment strategy with the stated risk profile;
• the fund’s ability to manage liquidity and conflicts of interest.

In practice this means that even a formally permissible structure can be rejected if the bank does not see a clear link between the fund’s strategy and its operating model.

In Singapore, an MAS license for payments takes 4–6 months; the solution developed at COREDO includes KYC/AML from the start. For crypto in Cyprus, CySEC requires Due Diligence of beneficiaries and an investment assessment — we perform it according to international standards, focusing on the business reputation of the founders and corporate governance.

AML consulting for EU banks

AML checks are a pain for 90% of clients seeking accounts with EU banks. Banks have tightened KYC: they require data on beneficial owners, sources of funds and ownership structure. Our experience at COREDO confirms: transparency is everything here. We conduct internal Due Diligence according to FATF standards, including checks for corporate conflicts and non-financial indicators.

Typical reasons EU banks refuse on AML grounds

According to our statistics, most EU bank refusals are not related to the client’s geography but to opaque sources of funds and complex ownership structures without an economic rationale.

Example: a client from the CIS was creating a multi-strategy platform in Estonia. EU banks (including Lithuania and the Czech Republic) requested AML checks in the EU investment structures. The COREDO team prepared a report assessing the ownership structure (dispersed vs concentrated), the GAR coefficient for green assets and proxy metrics based on the precautionary principle. Result: the account was opened, ROI exceeded 15% in a year.

ESG as a factor in bank trust, not marketing

For EU banks ESG is a tool to assess sustainability, not a PR indicator. What is checked is not the declaration but the compliance of the investment portfolio with the technical criteria of the EU Taxonomy.

For securitization of assets (real estate, pools of debt claims) we add unit liquidity and financial resilience. In the EU the Taxonomy requires technical criteria for six environmental objectives: we calculate the share of revenue from sustainable activities, ESG capital expenditures and operating expenses, avoiding greenwashing.

Support from registration to scaling

COREDO provides the full cycle: after registration: tax number, reporting, account openings. For investment structures we conduct investment assessments for EU banks: ROI calculations taking into account AIFMD requirements, risk management and ESG factors. A client with real estate development projects in Cyprus used our SPV structure for risk isolation; EU banks approved financing from the European Investment Bank (EIB) on a four-level scale, focusing on the quality of the project cycle.

Checklist: how to prepare an investment structure for an EU bank assessment

Before approaching an EU bank an investment structure should answer the key questions:

• is the logic of ownership and management clear;
• are the sources of funds verified;
• does the strategy correspond to the fund or SPV;
• is there substance and risk control;
• are AML and ESG integrated into the operating model.

The absence of any of these elements almost guarantees a refusal or months-long due diligence.

Strategic ideas for success

To pass EU banks’ Due Diligence:

1. Provide an ownership structure with a minimum contribution of 125,000 EUR for qualified investors.
2. Integrate the ESG taxonomy: target: 50%+ share of green assets, symmetric GAR.
3. For venture use an SPV for seed/Series A, increasing liquidity through securitization.
4. Scale without AIFMD changes via an umbrella fund.

The COREDO team has already implemented 200+ projects: from crypto licenses in Dubai to EU banks for sustainable investments. We save you time by offering transparent processes and support at all stages. Contact us – we’ll turn your idea into a working structure with a high ROI.

Greetings — I am the CEO and founder of COREDO. Over nine years, my team and I have helped hundreds of entrepreneurs from Europe, Asia, and the CIS register companies in key jurisdictions, obtain financial licenses and build robust compliance. Today the focus is on sanctions-related AML in the EU, a topic that determines business survival in cross-border operations. Regulators are tightening control, especially with the launch of AMLA (Anti-Money Laundering Authority) on 31 December 2025, and COREDO’s experience shows: those who implement a risk-based AML approach in advance save time and avoid fines.

Sanctions control for international business

EU AML regulation is evolving under the influence of the Sixth Directive (6AMLD), which will come into full force on 10 July 2027. The key change in 6AMLD is personal criminal liability for directors and beneficiaries for circumventing sanctions and facilitating money laundering. Formal delegation of compliance no longer protects: regulators assess actual control and management involvement.

Imagine a client from Singapore planning payments to the EU. The COREDO team conducted risk profiling and identified a connection to politically exposed persons (PEP) through a chain of beneficiaries. We adjusted the structure, implemented monitoring of suspicious transactions and ensured compliance with 2025 KYC requirements. Result: the account was opened without delays, and the client obtained a license for payment services in Estonia.

Banks’ sanctions control focuses on payment structuring (smurfing) and indirect financing of sanctioned persons. Special attention is paid to operations that do not formally violate sanctions but create an economic effect in favor of sanctioned persons.

KYC and EDD in 2025

KYC verification of clients is now mandatory for all legal entities; KYC is no longer considered an “entry” procedure. In 2025 banks and regulators expect a continuous KYC process where the client profile is updated with every material change in activity or geography of operations.

How to apply the new EU KYC requirements to clients in 2025? Implement periodic KYC information reviews, once a year for standard clients, quarterly for high-risk ones. The transition period until 2027 allows updating databases over 5 years, but COREDO recommends starting now to avoid peak loads.

AMLA Powers, Supervision and Fines

AMLA will take direct supervision over the largest EU banks, applying a risk assessment methodology for direct supervision. Powers include administrative measures and fines: up to 10% of annual turnover or €10 million for the first violation.

The solution developed at COREDO for an Estonian fintech integrated a risk matrix taking AMLA fines into account. We configured transaction monitoring systems to detect anomalies such as payment structuring, and the client successfully obtained a crypto license, avoiding CFT (Countering the Financing of Terrorism) risks.

Banks block such transactions under a decision of the Council (CFSP), requiring Suspicious Activity Reporting (SAR).

Risk-oriented approach: assessment and monitoring

Risk-oriented AML, the basis of compliance requirements for banks. In practice, a risk-oriented approach does not mean complicating processes. On the contrary, it allows reducing the burden on low-risk operations and focusing resources where the likelihood of sanctions violations is truly high. Steps for implementation:

1. risk assessment (Risk Assessment): profile clients by geography, transaction type, and PEP status.
2. CDD/EDD: basic checks + enhanced checks for high-risk cases.
3. Transaction Monitoring: algorithms based on GNN (Graph Neural Networks) and FHE (Fully Homomorphic Encryption) detect money laundering networks.
4. Staff training and internal policies.

How to implement without complications? Start with automation: COREDO integrates ready-made platforms adapted to the EBA (European Banking Authority).

COREDO Case Studies: real solutions

• EU registration with an AML focus. A client from Asia opened a company in the Czech Republic. The COREDO team conducted KYC for legal entities, confirmed substance and opened an account despite a complex beneficial ownership profile.
• Obtaining a payments license in Cyprus. Integrated monitoring for 6AMLD, mitigated risks of blocking sanctions: license in 3 months.
• AML consulting for Dubai. For a holding structure we set up EDD for cross-border payments, avoiding AMLA fines.

These examples demonstrate: COREDO addresses registration, Licensing and AML compliance comprehensively.

GNN, FHE and automation trends

Money laundering volumes are 2-5% of global GDP, fines are growing. ROI from AML systems: payback in 12-18 months due to reduced risks.

Action plan for 2025-2027

1. Audit current KYC: verify beneficiaries, update to 2025 standards.
2. Implement risk profiling and monitoring.
3. Train the compliance office for AMLA supervision.
4. Document everything: regulators examine risk-related decisions.

Criteria for choosing a jurisdiction

Within COREDO this stage is called pre-jurisdictional audit. We model not only company registration but its further life: account opening, interactions with banks, the tax burden after 12–24 months and the possibility of obtaining licenses or investments.

• Tax regime. Look for rates from 0% in UAE Free Zones or 1% in Georgia for small businesses. Avoid double taxation through treaties – Cyprus offers special regimes for holding companies.
• Speed and bureaucracy. Serbia and Georgia: 3–7 days online, UAE: 3 days in a Free Zone.
• Banking services. A local account is opened automatically upon registration in the same jurisdiction.
  Important to understand: “automatically” does not mean “unconditionally”. Banks in Serbia, the UAE and the EU conduct their own AML onboarding. We prepare the package for the bank in advance: description of the business model, sources of funds and payment scenarios to avoid refusals and freezes at the start.
• Substance requirements. In the EU (Cyprus, Czechia, Estonia) since 2024 an office, employees and local reporting are required.
• Access to licenses. The UAE and Cyprus are ideal for payment services, forex and crypto.

Company registration: step-by-step plan

The process is standard, but details depend on the country. It is precisely the details that most often “break” projects: an incorrect company form, an unsuitable type of activity on the license, or errors in beneficiary data. These issues are hard to fix after registration, so we always account for them at the planning stage. Here is a universal algorithm from COREDO’s practice:

1. Choose the form. Sole proprietorship (IP) for simplicity, LLP/LLC to protect assets — personal liability is excluded.
2. Gather documents. Passport, proof of address, articles of association, beneficiary details. We prepare them to meet banks’ KYC requirements.
3. Submit an application. Online to the registry: Serbia – Agency, Georgia: State Registry, UAE through a Free Zone.
4. Open an account and obtain numbers. Tax ID and license are issued automatically.
5. Register as a taxpayer. In the UAE — first year, 6–18 months.

Obtaining financial licenses: crypto and forex

Licenses: the next level. obtaining a license practically always requires a properly registered company. A mistake at the first stage – choosing the ‘wrong’ jurisdiction – makes licensing either impossible or excessively expensive. Without them, business in fintech, trading or payments is impossible. COREDO’s practice confirms: Cyprus and the UAE lead in speed.

• Crypto and VASP. Cyprus (CySEC) – 3–6 months, requires an AML policy. UAE VARA – 2 months in a Free Zone.
• Banking and EMI. Estonia and Lithuania for the EU, Singapore for Asia – focus on capital adequacy and risk-weighted assets.
• Forex and payments. Czechia and Slovakia offer access to the EU without strict substance requirements.

AML consulting: what it is and why it’s needed

The solution developed by COREDO includes:

• Development of an AML policy with a risk assessment.
• Staff training on FATF and local regulations.
• Integration of software for transaction monitoring.

Post-registration support

COREDO case studies: real results

• Serbia for a CIS client. Opened an LLC online, integrated with EU banks. Tax savings of 40%, turnover doubled.
• UAE Free Zone for a trader. Obtained a crypto license, 0% tax. The client entered Asian markets in 2 months.
• Cyprus holding for an EU business. Substance + EMI license. Access to venture capital and the Schengen area.

Why 2025 Is a Turning Point for Company Registration

Choice of jurisdiction: strategy

Why these jurisdictions? Because they offer what a growing business really needs:

• Serbia attracts entrepreneurs with the simplicity of the registration process and the ability to operate online. Our COREDO team has executed projects where Serbian jurisdiction became an ideal entry point for European expansion thanks to low administrative barriers and transparent rules for foreigners.
• UAE, this is a completely different level. Here you can register a company in a Free Zone or on the Mainland. Free Zones allow 100% foreign ownership, corporate tax is almost absent, and registration takes as little as 3 days. Mainland registration offers a simple and transparent tax regime starting from 1% for small businesses, simplified reporting and opening a bank account. The registration process involves vetting of the applicant and their business, which usually takes up to several days.
• Georgia impresses with its speed and accessibility. To open a business in Georgia, you need to register on the State Registry website, complete online identification and choose a business form. Fast online registration and no requirement for the owner to be a tax resident make this jurisdiction ideal for startups.
• Cyprus is a unique combination of European regulation and flexible advantages. Special tax regimes for holding structures, simple reporting and English-language support create a favorable environment. Cyprus also provides residency through business investments: the opportunity to open a company, invest in the economy and obtain a residence permit. Processing takes 5–10 days.

Documentary basis: from simple to complex

• founding agreement and articles of association
• proof of registered address
• digital identification of founders (video verification, eIDAS, BankID)
• KYC questionnaires and information on beneficiaries
• proof of source of funds
• electronic signatures

This is not just a bank requirement; it reflects the global trend of tightening control and reducing AML risks in the financial system.

AML compliance: from theory to practice

• Customer Due Diligence (CDD) – basic verification of clients and partners
• Enhanced Due Diligence (EDD) – enhanced checks for high-risk clients and transactions
• Continuous KYC – continuous monitoring and updating of customer information
• PEP screening, checks against lists of politically exposed persons
• Sanctions screening – checks against the sanctions lists of the FATF and other authorities

• a designated AML officer responsible for compliance
• internal policies and procedures that comply with FATF recommendations
• a transaction monitoring system capable of detecting suspicious activity
• an AML training program for staff
• documentation confirming the origin of funds and the founders’ source of wealth

Differences between the EU and Asia

What to do after registration

COREDO’s strategic approach: how we help

1. Strategic planning
   We start not with documents, but with understanding the client’s goals. What business do you want to create? In which countries do you plan to operate? What level of risk are you willing to accept? What tax incentives do you need?
   Based on this analysis we recommend the optimal jurisdiction and company structure. For example, if you plan to work with cryptocurrency investments, we recommend choosing a jurisdiction that has clear MiCA requirements and a developed infrastructure for crypto business.
2. Due diligence and AML preparation
   We conduct enhanced due diligence on all founders and beneficiaries, checking them against sanctions lists and databases (Dow Jones, LexisNexis, World-Check). We also help prepare documentation proving the origin of funds and source of wealth.
   At the same time we develop AML policies and procedures that will comply with FATF requirements and local regulators. This includes appointing an AML officer, developing a staff training program and implementing a transaction monitoring system.
3. Registration and licensing
   We prepare all necessary documents and submit the application to the relevant authorities. We also coordinate the process with banks and payment systems to ensure a smooth opening of the corporate account.
4. Ongoing support
   After registration we continue to support the client. We assist with tax reporting, regulatory reporting, updating AML policies in accordance with changes in legislation and FATF recommendations.

Examples of solving complex problems

Example 1: Fintech company with foreign investors

Example 2: investment fund with a global structure

Example 3: Company with a high-risk profile

Key takeaways and recommendations

1. choice of jurisdiction: it’s a strategic decision that should take into account not only taxes but also the regulatory environment, the availability of banking services, and compliance with international standards.
2. AML compliance is not just a regulatory requirement; it’s the foundation of your business. Invest in it from the outset, and you’ll avoid costly problems down the line.
3. Document preparation is a critical success factor. Make sure all documents are prepared correctly and fully disclose information about beneficiaries and the source of funds.
4. Work with an experienced partner who understands local regulations and can tailor the process to your specific needs.
5. Don’t assume that registration is the finish line. It’s the start of a long-term journey that requires ongoing attention to compliance and adaptation to changes in legislation.

Conclusion

Our mission at COREDO: to help you overcome this complexity and create a sustainable, compliant structure that will serve as the foundation for your global expansion.

I welcome you as the CEO and founder of COREDO. Since 2016 our team has been helping entrepreneurs from Europe, Asia and the CIS build reliable structures abroad: from registering companies in the EU and Singapore to obtaining crypto-licenses in Dubai. Today I want to explain how a Legal Opinion (legal opinion) addresses real challenges: difficulties with company registration, licensing and AML compliance. Our experience at COREDO confirms: it is not a formality, but a strategic asset that saves time, minimizes risks and speeds up access to financing.

This case is typical for the EU: without a Legal Opinion the regulator is forced to interpret the documents and the business model on its own, which almost always leads to additional requests and pauses. A well-prepared opinion removes these uncertainties in advance and shortens the regulatory cycle many times over.

When a Legal Opinion Is Required

In 2025, company registration rules in the EU and Asia tightened: mandatory digital identification of founders, enhanced KYC and screening against sanctions lists. A Legal Opinion becomes mandatory when the regulator assesses a high-risk business: investment funds, forex brokers or crypto exchanges.

For one client we prepared a Legal Opinion for a license, integrating the standards of LMA (Loan Market Association) and ISDA (International Swaps and Derivatives Association). This confirmed the transparency of funding sources and reduced the risks of transaction disputes.

In Asian jurisdictions a Legal Opinion often serves to confirm that digital identification and remote governance procedures comply with local law and international AML/CFT standards. Without it, remote models are extremely difficult to scale.

This table reflects real cases: the COREDO team always adapts the opinion to the specific regulatory licenses of capital markets.

Legal Opinion during due diligence

For venture capital in the EU, a Legal Opinion for venture capital integrates verification of the company register and the tax authority. Ignoring this risks the ROI: practice shows long-term risks when issuing securities without an opinion reach 25% due to challenges to transactions.

Legal opinion on licensing crypto, forex and payment services

obtaining financial licenses: a pain for many. A Legal Opinion for crypto licensing is mandatory when scaling crypto services: the regulator checks AML policies and compliance for crypto exchanges. In crypto and fintech projects, a Legal Opinion additionally records the company’s position on the legal nature of digital assets, the liability of operators, and the applicable AML rules. This is especially important in jurisdictions where regulatory practice is still being formed. In Dubai, VARA requires an AML Legal Opinion to confirm risk assessment methodologies and the jurisdiction’s case law.

Payment service providers in Slovakia require a Legal Opinion for AML requirements. We integrated ESG criteria and automated reporting, ensuring cross-border transactions without disruptions.

The role of a legal opinion in registering legal entities abroad

Registration of a legal entity in the EU in 2025: digital identification, eIDAS signatures and KYC for high-risk businesses. A Legal Opinion for registering an EU legal entity confirms corporate status and minimizes legal risks. For a client from Asia we prepared a Legal Opinion on corporate status before opening in the Czech Republic; the process is remote, without visas.

In Asia (Singapore, Dubai) a Legal Opinion helps with foreign founders: verification of business immigration through SPV structures. In CIS regions, like Georgia, we combine it with tax incentives.

Legal Opinion: ROI and long-term support

LMA and ISDA standards in a Legal Opinion help minimize risks in cross-border transactions. When is a Legal Opinion mandatory to confirm corporate status in cross-border transactions? Always, when verifying authority and the enforceability of a contract. Ultimately a Legal Opinion is not an expense, but an investment in business governance. It shortens timelines, reduces regulatory and banking risks, and increases trust from investors and partners. That’s why at COREDO we recommend preparing a legal opinion not “on request”, but in advance — as part of a strategy for entering international markets.

(Total length: about 10,500 characters including spaces.)

I welcome you as the CEO and founder of COREDO. Over nine years my team and I have helped hundreds of entrepreneurs from Europe, Asia and the CIS register companies in key jurisdictions, from the Czech Republic and Cyprus to Singapore and Dubai, and successfully complete bank onboarding. Today we’ll examine, why EU banks refuse even licensed companies, and share proven solutions so you save time and avoid account freezes.

This is why a license by itself does not guarantee account opening: for the bank it is only one element of the overall risk picture, not a free pass.

Reasons for rejection during bank onboarding

Imagine: you register a company in Estonia or the Czech Republic, obtain a license for payment services, but the bank blocks the account application. Our experience at COREDO shows that in 70–90% of cases the issue is the Legal Opinion, a legal opinion that analyzes corporate registers, tax liabilities, licensed activities and AML aspects. EU banks, following EBA guidelines 2024-2025, require a complete package: a flawless opinion with an apostille, confirmation of UBO and source of funds.

We regularly see legal opinions that describe the company abstractly, without tying it to specific operations and jurisdictions. For a bank this is a critical drawback: if the document does not explain why this particular company in this structure performs these specific payments, it is perceived as formal and useless.

The COREDO team recently assisted a client from Singapore with a Pte Ltd license. EU banks refused due to cross-border AML risks: the logic of cross-border payment flows from Asia. We conducted a forensic UBO analysis, checked against the ACRA registry and notarized the chain of ownership. Result: the account was opened in a Czech bank within 14 days, without EDD delays.

Another trap: shelf companies or ready-made companies older than 5 years. COREDO’s practice confirms: 40% of AML onboarding failures are related to dormant status, where governance analysis reveals gaps in actual control. Regulators require an AML audit before onboarding, especially for high-risk profiles.

UBO verification and source-of-funds checks to prevent account blocking

UBO (Ultimate Beneficial Owner), ultimate beneficiaries: this is the foundation of KYC Due Diligence. Non-compliance with public registers leads to onboarding refusals and EDD. At COREDO we always start with a full verification: declarations of control, a forensic audit of the chain, confirmation of source of funds through bank statements and contracts.

One case: a company from Dubai with a forex license faced onboarding refusal in Slovakia. FATF risks from grey list jurisdictions triggered the block. The solution developed at COREDO: a strategic business plan with evidence of economic presence, integration of GDPR data protection and an AML audit. The account was activated, and foreign trade operations increased by 30% without fines.

Source of funds often becomes a trigger for account blocking. A common mistake by companies is limiting themselves to declarations of origin of funds. For banks this is not enough: a verifiable chain of documents is required, showing the link between business activity, contracts, receipts and the distribution of funds. The absence of even one link is interpreted as increased risk.Banks request evidence: not just declarations, but the full chain from supplies to payments. Under AMLA 2025, a deep audit is mandatory for PEP onboarding, we integrate it into onboarding, reducing risks by 80%.

EDD for shelf companies and 6AMLD

High-risk clients: PEPs, companies from Asia with AML non-compliances or ready-made companies: require EDD (Enhanced Due Diligence). The 6AMLD directive strengthens AML for payment providers and card issuance: banks block if there is no forensic analysis. Our approach at COREDO: we combine digital KYC 2025 with notarization, minimizing blocking metrics.

Practical example: an Estonian fintech with a shelf company from the Czech Republic. Bank refusal due to weak corporate governance. The COREDO team conducted a governance analysis, updated the articles of association, confirmed substance (office, staff). Now the client issues cards under 6AMLD. This example shows that bank onboarding problems are rarely fatal. In most cases they point to managerial and structural weaknesses that can be fixed before the next submission – provided the company is ready to rebuild governance and AML frameworks.

Your strategic steps

• Invest in a Legal Opinion in advance: a full registry analysis reduces rejections by 70-90%.
• Conduct an AML audit: mandatory for scaling foreign economic activity (FEA) in high-risk zones.
• Manage UBO and source of funds: forensic EDD for shelf companies prevents loss of operations.
• Integrate governance into KYC: the key to fintech expansion into Estonia or the Czech Republic.

The COREDO team implements this at every stage: transparently, with reporting and support. We acknowledge the challenges; regulations are tightening, but with our experience you will scale your business without losses.

Contact us if you need details about your case. Together we’ll build a reliable structure for the EU, Asia and the CIS.

As CEO and founder of COREDO, I see every day how entrepreneurs from Europe, Asia and the CIS face a negative AML audit. This moment turns ambitious growth into a crisis: fines, reputational risks and frozen accounts. Our experience at COREDO shows that the right remediation plan after an AML audit not only corrects violations – it strengthens the business, increasing ROI from compliance and opening doors to new licenses and markets.

Over the past 9 years I have seen dozens of AML remediation projects after a negative audit. And almost always the problem is not the absence of policies, but the gap between the documents and real operational practice.

In one project in the EU a client had 120 pages of AML policies and not a single documented rationale for EDD. This became the key trigger for the negative audit.

Imagine: your fintech startup in Estonia has just undergone an external audit under the EU AML directives, and the report identified gaps in KYC/CDD/EDD for high-risk clients from Asia. The regulator requires urgent measures, and you waste time rewriting policies manually. The COREDO team implemented something like this for a client from Singapore: we developed AML remediation in 45 days, integrating RegTech with AI for transaction monitoring. The result: zero repeat violations and a license for payment services, approved by the MAS (Monetary Authority of Singapore).

The regulator’s key questions are always the same:

• Is the root cause of the violations understood;
• Has a specific responsible AML officer been appointed;
• Is there control over remediation timelines;
• Is the effectiveness of the new measures being measured.

Negative AML audit: impact on business and COREDO