Payment institutions in the EU differences in regulatory requirements

Nikita Veremeev

02.02.2026 | 6 min read

Updated: 02.02.2026

Since 2016 the COREDO team has implemented dozens of projects for registering companies in the EU, Asia and CIS countries, obtaining financial licenses, setting up AML and launching operational processes for fintech. In this article I have compiled the experience that helps clients move from the idea of a payment service to an international scalable model with passporting, a transparent compliance function and a sustainable economic model.

The purpose of this text is to provide a clear roadmap: how to approach licensing payment institutions in the EU, where the pitfalls of PSD2 payment regulation in the EU lie, and how to turn regulation from a cost into a competitive advantage. COREDO’s practice confirms: sound planning, careful engagement with regulators and discipline in operational risk shorten timelines, reduce compliance costs and accelerate growth.

PI or EMI: license or partnership

Illustration for the section «PI or EMI: license or partnership» in the article «Payment institutions in the EU – differences in regulators' requirements»
The first fork: EMI license vs PI license. Licensing of an EMI and a payment institution differs in essence: an EMI may issue electronic money and hold customer balances in wallets, while a PI provides payment services without issuing e-money. These are different business risks, capital requirements and safeguarding procedures for customer funds in the EU, so the choice should be driven by the product roadmap.

I regularly see situations where a young fintech aims for an EMI, even though monetization is based on card acquiring and PIS/AIS within the open banking logic. In such cases an EU payment institution license is sufficient and scales faster through passporting of the payment institution in the EU. The solution developed at COREDO usually includes modeling revenue, liquidity management and capital requirements for 24–36 months, so as not to overload regulatory and operational perimeters prematurely.

The second fork — license vs partnership with a bank. A partnership model (sponsored BIN, white-label, agency agreements) speeds up an MVP launch and reduces CAPEX, but adds dependence on another party’s compliance policy and limits international scalability. Registering your own payment institution in the EU requires time and resources, but provides control, pricing flexibility and direct access to schemes and correspondent banks. Our team often builds a hybrid: a quick start through a bank partner, followed by opening a payment institution in the EU for key markets.

The legal structure is also important. Legal models — branch vs subsidiary — for entering the EU market offer different levels of substance and risk manageability. A subsidiary simplifies passporting and interaction with regulators, whereas a branch is suitable for testing hypotheses or limited presence. For non‑EU groups you need to consider passporting limitations and the lack of full equivalence: often the right move is to create EU substance with independent management and local compliance.

EU regulators: PSD2, EBA and discretions

Illustration for the section 'EU regulators: PSD2, EBA and discretions' in the article 'Payment institutions in the EU – differences in regulator requirements'
PSD2 regulation of payments in the EU and the EBA’s guidance on payment services have formed the basic layer of requirements. But within this framework national PSD2 discretionary rules and differences in EU regulators’ requirements for payment institutions apply. Our experience at COREDO has shown that properly aligning national approaches saves months and reduces the amount of correspondence in the licensing process.

regulatory requirements of BaFin for payment institutions place greater emphasis on IT security and outsourcing (MaRisk, BAIT), thorough management checks and clear segregation of duties. This is a market with intensive supervision and a high quality of dialogue, but expectations regarding substance and operational maturity are above average.
ACPR’s regulatory requirements for payment institutions focus on consumer protection, safeguarding and incident management. In an application, clarity of governance, third‑party contracts and a measurable staff training programme are valued.
DNB’s regulatory requirements for payment institutions have traditionally been strong on integrity risk and the management of outsourcing chains. In the Netherlands they pay close attention to control models, the independence of the compliance function and the realism of financial plans.
Banco de España’s regulatory requirements for payment institutions add an emphasis on local presence and reporting. The regulator expects a well‑thought‑out implementation of transaction monitoring requirements and scenario‑based risk analysis.
The Central Bank of Ireland’s (CBI) regulatory requirements are known for the strict “fitness and probity” threshold, the structure of PCF roles and the requirement for detailed operational resilience plans. It is one of the most consistent review practices in the EU.
CSSF and Banca d’Italia demonstrate high expectations for capital, IT controls and AML. In Italy it is important to carefully describe ring‑fencing and liquidity buffers, whereas in Luxembourg — to demonstrate the maturity of risk management when outsourcing actively.

The ECB’s roles and supervision in payment infrastructure concern the oversight of clearing/settlement systems and systemically important operators. For PI/EMI the main contact is the national regulator, but ECB standards form the backdrop of expectations regarding resilience and incident reporting. Ongoing supervision versus preferential procedures across EU countries vary in inspection intensity, but the general trend is greater focus on operational risks and cyber resilience.

Capital, safeguarding and liquidity

Illustration for the section «Capital, safeguarding and liquidity» in the article «Payment institutions in the EU – differences in regulators' requirements»
Capital requirements for payment institutions in the EU depend on the range of services and are calculated under PSD2 methodologies (Methods A/B/C), and the minimum initial capital for PI is usually in the range of €20–125 thousand. For EMI it is higher, typically from €350 thousand, taking into account electronic money issuance and the specific risks of holding balances. Capital requirements: minimum amounts and buffers are combined with capital reserve requirements and capital adequacy based on stress‑tests and growth plans.

Safeguarding via segregated accounts vs trust accounts: a key choice of operational model. In some jurisdictions insurance/guarantee alternatives apply, but segregation of funds in accounts at credit institutions predominates. Differences in reserve and ring‑fencing requirements appear in the details: the timeframe for daily segregation, permissible custodian banks, reconciliation mechanics and independent audit checks.

Liquidity management and regulatory requirements boil down to maintaining sufficient own funds, covering peak loads and planning a «survival horizon» under stress scenarios. Liquidity and stress‑test reporting requirements in the EU are converging, but formats and frequency differ between BaFin, ACPR, DNB and CBI. COREDO’s practice confirms: early automation of ALM metrics and independent limit controls prevent regulatory issues at later stages.

AML/KYC: policy and metrics

Illustration for the section «AML/KYC: policy and metrics» in the article «Payment institutions in the EU – differences in regulators' requirements»
AML requirements for payment institutions are built on the AML Directives (AMLD5, AMLD6) and the recommendations of FATF. They require assessing risks, applying KYC/KYB, beneficial owner (BO) verification procedures for PI, monitoring transactions and establishing reporting on suspicious operations. The solution developed at COREDO often includes risk matrices by jurisdictions, products and channels, as well as the design of an escalation “ladder” and exception handling.

KYC automation, eIDAS and remote identification speed up onboarding but require calibration taking into account national rules and the risk level. Biometric identification and regulatory compliance are possible with strong liveness‑check procedures, template protection and independent testing. In correspondent banking relationships it is important to consider interaction with correspondent banks and KYC requirements, since banks impose additional customer verification standards for PI/EMI.

Sanctions screening and sanctions compliance for payment companies imply matching customers and counterparties against OFAC/EU lists and local lists. PEP screening and management of elevated risk should be combined with flexible segmentation so as not to “strangle” conversion. Thresholds for suspicious transaction reports (STR) are interpreted differently, but the general EU logic – STRs are filed on the basis of suspicion, not monetary thresholds, while thresholds are more often applied to other types of reporting.

Transaction monitoring systems and machine learning strengthen anomaly detection when models are supported by correct scenarios, a quality training sample and periodic validation. Managing false positives in AML and the impact on business‑processes is a separate discipline: our experience shows that rules optimization, alert prioritization and feedback from investigations reduce false positives by 30–50% without degrading the detection rate. AML program performance metrics (SAR rate, detection rate) should be recorded in the compliance function’s KPIs and regularly discussed at the board of directors level.

SCA/RTS, GDPR and resilience

Illustration for the section «SCA/RTS, GDPR and resilience» in the article «Payment institutions in the EU – differences in regulators' requirements»

SCA and RTS requirements for payment providers have set standards for strong authentication and transaction risk management. Exemptions based on TRA and low amounts improve UX if risk models are properly calibrated and agreed with the regulator and processing partners. Integration of Open Banking and API requirements for TPPs imply resilient APIs, SLAs, version control and secure token management mechanisms.

Information security requirements and the GDPR for payment services in the EU set a high bar for data protection, processing transparency and data subject rights. Outsourcing to cloud providers and regulatory requirements on data localization require attention to storage location, access from third countries, encryption and audit rights. Contractual obligations when outsourcing critical functions must cover subcontractor control, inspection rights, RTO/RPO and exit plans.

Operational resilience management and BCP for payment providers are strengthened by DORA (Digital Operational Resilience Act) in the EU. Incident reporting and regulator notification rules require reporting significant operational or security events within specified deadlines and formats. Requirements for penetration testing and application security are complemented by vulnerability management, secure development and change control over the business model and notifying regulators if services or geography change.

Outsourcing and fraud prevention

Outsourcing and third-party management in payment institutions are an area of increased inspection scrutiny. Management of business partners and Due Diligence of vendors should include assessment of financial stability, security controls and the compliance of their subcontractors. Requirements for third-party risk management and SLAs imply metrics for availability, response times, quality of investigations and a documented escalation procedure.

Differences in national regulators’ approaches to combating fraud affect the set of minimum measures, but the overall trend is a combination of behavioral analytics, device‑fingerprinting and channel monitoring. Regulatory measures against fraud and chargebacks require close cooperation with scheme providers and acquirer banks. Integration of fraud prevention with UX and conversion is achieved through adaptive application of SCA, whitelists of trusted beneficiaries and thoughtful user communication.

Regulatory frameworks affect both permitted and prohibited business models for payment institutions, including restrictions on holding funds outside safeguarding and mixing client and own funds. Regulatory restrictions on FX and cross-border payments vary by country, especially regarding correspondent chains and exotic currencies. Regulation of interbank settlements and clearing (SEPA) sets standards for formats and timelines, and connection to schemes requires mature processes and a reliable IT architecture.

Documents, timelines, and the economics of compliance

The documents and the package for applying for a payment institution license include a business plan, financial models, policies and procedures, a description of the IT architecture, outsourcing agreements, safeguarding mechanics, a BCP/DR plan, compliance matrices, and management questionnaires. The COREDO team carefully synchronizes the operational and legal parts so that no “gaps” arise between the business and compliance vocabularies in correspondence with the regulator. This reduces the number of request rounds and speeds up the process.

The times to obtain a payment institution license in different EU jurisdictions range from 6–9 months up to 12–18 months, depending on team readiness and the complexity of the business model. Licensing time lag: average timelines across jurisdictions shorten if the pre-licensing dialogue is built on a clear picture of risks and realistic KPIs. The regulatory sandbox for fintech in the EU helps to test hypotheses and engage with regulators, but it has limitations in scale, types of operations and does not replace a full license.

The cost of PSD2 compliance for a business consists of CAPEX for preparation and IT, and OPEX for maintaining compliance, audit and reporting functions. Comparing compliance expenses: CAPEX vs OPEX shows that investments in automating KYC versus manual review pay off at a scale of tens of thousands of onboardings per year. ROI metrics when implementing compliance requirements include reduction in false positives, account opening time, the proportion of blocked fraudulent transactions, and a decrease in regulatory inquiries.

Scalability, M&A and reputation

International scalability and passporting after local requirements: the main dividend of an EU license. The impact of national discretions of EU member states on the single payments market remains, so a go‑to‑market strategy for priority countries must take into account differences in reporting, local substance and consumer interaction. The concept of passporting and restrictions for non‑EU companies remain relevant: for groups from third countries, having substance in the EU with independent governance is the practical standard.

Requirements for internal control and the compliance function should be strengthened as growth occurs: independence, direct access to the board of directors, regular reports and improvement plans. Requirements for audit and external reporting and regulatory reviews and inspections: preparation and response are organized through a pre-approved “playbook” and a set of KPIs/evidence. Managing reputational risks in case of non-compliance includes transparent communication, a corrective action plan and documenting progress.

Due diligence practices in M&A of payment platforms require verification of licenses, compliance with safeguarding, the quality of AML frameworks, contracts with third parties and any open regulatory issues. Exit scenarios in the event of license revocation and customer protection must be predefined in BCP plans and in safeguarding agreements. Assessment of scalability: the impact of regulatory barriers on user growth and the pricing model of payment services and the impact of regulatory requirements should be considered when planning unit economics and choosing markets.

MiCA and tokenized assets

Crypto payments regulation and the intersection with MiCA is becoming a new reality for payment companies that want to accept or convert digital assets. Rules for e-money and the issuance of tokenized assets differ, and custodial vs non-custodial models in payments carry different risks and expectations regarding controls. At COREDO we help separate the flows: payment services under PSD2, e-money under EMI, and crypto services under national and pan-European MiCA regimes, so as not to “mix” risks and licences.

Outsourcing of critical functions in the crypto part requires special attention to the chain of subcontractors and key storage. Regulators expect clear answers on sanctions screening, the origin of funds and monitoring of blockchain transactions. International cooperation on AML and FATF recommendations for VASPs impose additional checks, which are important to consider when integrating the crypto pathway into the overall risk appetite of a PI/EMI.

COREDO case studies – from application to growth

One of the projects: a payment institution license in Ireland. The client came with an ambition for instant‑payments in the B2B market and a plan for fast cross‑border transfers. The COREDO team built governance to meet CBI requirements, described TRA models for SCA/RTS, prepared outsourcing agreements and a BCP plan taking DORA into account. As a result the application passed with a minimal number of queries, and after obtaining the license the client successfully implemented passporting to several EEA countries.

Another example – a fintech company’s entry into the German market targeting open banking services. We mapped BaFin’s IT and outsourcing requirements against the existing cloud architecture, strengthened change control and implemented an independent pen‑testing process. At the same time an approach to safeguarding via segregated accounts at a tier‑one bank was agreed and transaction monitoring scenarios were configured, which reduced operational risks and sped up integration with partners.

The third case – scaling a Spanish PI with added FX functionality. COREDO’s practice confirmed that Banco de España pays close attention to cross‑border chains and liquidity. We implemented stress tests on currency positions, negotiated additional limits with correspondents and updated the AML policy with a focus on exotic corridors. As a result the company maintained its growth pace without supervisory objections.

Payment institution launch checklist

Licensing strategy and geography. Determine where local substance is critical and how quickly passporting is required, and build a PI vs EMI and bank‑partnership vs own‑license model over a 24‑month horizon. This approach reduces regulatory duplication and unnecessary costs of rebuilding the architecture.
financial resilience and safeguarding. Calculate capital and buffers, choose a segregated vs trust account model, prepare agreements with custodian banks and descriptions of reconciliations. Ensure that ALM metrics and stress scenarios are available “at the push of a button”.
Compliance and AML. Set up KYC/KYB, BO checks, OFAC/EU sanctions screening, PEP procedures and transaction monitoring with ML scenarios. Implement SAR/detection metrics and a false‑positives reduction program with feedback from investigations.
Technology and security. Implement SCA/RTS, an API policy for open banking TPPs, GDPR controls and a data processing register. Conduct an independent pen test and document BCP/DR plans under DORA with incident reporting procedures.
Outsourcing and third parties. Conduct supplier due diligence, agree SLAs, audit rights, exit plans and control subcontractors. Verify that the cloud architecture complies with local regulator requirements.
Reporting and inspections. Prepare a regulatory calendar, report templates, a playbook for inspections and a change‑notification process for business‑model changes. Regularly train staff and maintain a culture of compliance.

COREDO’s scalable regulatory growth

Registrations, licences and AML are not “paperwork”, but a risk-management system that underpins the international payments business. When the foundation is strong – capital requirements are met, safeguarding is transparent, SCA/RTS are implemented, the AML framework is measurable and technological, growth happens faster, and the dialogue with regulators becomes constructive. At COREDO I insist on sequence: first strategy and architecture, then documentation and evidence, and only then the submission.

Our experience at COREDO has shown that the right jurisdiction, a well-prepared licensing package and a mature operating model reduce time‑to‑market and the cost of compliance. The COREDO team speaks the same language as BaFin, ACPR, DNB, Banco de España, Banca d’Italia, CBI and CSSF, taking into account national discretions while the logic of PSD2 remains unchanged. We support clients from company incorporation to licensing as an EMI and a payment institution, from AML concept to incident reporting and DORA, helping build reliable, scalable and profitable payment businesses.

If your plan is to enter the EU and use passporting while keeping processes transparent and saving time, start with a well-considered roadmap. COREDO’s practice confirms: a strategy backed by measurable controls and attention to detail turns regulatory requirements into the foundation of long-term partnership with the market and regulators.