Relocating a fintech company between jurisdictions regulatory pitfalls

Nikita Veremeev

25.01.2026 | 6 min read

Updated: 25.01.2026

I have been managing COREDO since 2016 and I see: the relocation of a fintech company between jurisdictions is no longer an exception. It is a practical tool for managing regulatory risks, scaling and reducing operating costs. But every fintech company relocation is not just about a “new license”; it is about the business model, substance, the AML framework and resilience to supervisory stress.

Our experience at COREDO has shown that a successful transition does not begin with choosing “where a permit will be issued faster”, but with the question “which market, regulatory regime and tax status will deliver the best return with controlled risks”. In this article I have compiled a practical guide for executives and CFOs responsible for international company registration, Licensing and compliance. I will be specific, drawing on COREDO’s practice in the EU, the United Kingdom, Singapore, Dubai and a number of Asian and European jurisdictions.

When should fintech companies change their jurisdiction?

Illustration for the section «When fintech companies should change their jurisdiction» in the article «Relocation of a fintech company between jurisdictions - regulatory traps»

Relocation makes sense when the combination of regulatory pressure, bank de-risking and the tax model makes the current jurisdiction less competitive. Often the trigger is a change in rules, for example requirements for safeguarding client funds or capital adequacy for EMI/PI, which have sharply affected unit economics. In that case relocation allows you to preserve margins and access to payment rails.

The second scenario is limited scalability. If PSD2 passporting is unavailable or has been lost after corporate changes, or local rules do not recognise the agent or distribution model, it is sensible to consider restructuring: a subsidiary in the EU, a local license instead of an agency scheme, or moving core functions to a jurisdiction with stable banking access. COREDO’s practice confirms: a timely transition prevents the cascade risk of correspondent account closures and loss of the client base.

Finally, relocation is justified when the new jurisdiction objectively increases market trust: supervisory reputation, the presence of a RegTech ecosystem, stability of interaction with the FIU, and predictability of onsite inspections. These factors directly translate into the cost of capital raised and the speed of integrations with partner banks.

Risks and the business model of relocating

Illustration for the section “Risks and business model when relocating” in the article “Moving a fintech company between jurisdictions - regulatory traps”
Regulatory mapping and gap analysis

Any project begins with regulatory mapping: we build a map of requirements in the current and target jurisdictions, compare PSD2/EMI/PI, MiCA/AMLD5–AMLD6, local safeguarding and governance rules. The COREDO team has implemented dozens of such maps and sees a recurring pattern: significant “gaps” lie in governance (the role of independent directors, frequency of committees), transaction monitoring (SAR rules, TMS scenarios) and data governance (GDPR, data localization).

The gap analysis covers: licensing (local license requirement vs license passporting), FIU reporting obligations and SAR submission deadlines, requirements for UBO disclosure and beneficial ownership registers, equivalence of sanctions screening, as well as supervisory cooperation and information exchange between regulators. The result: a remediation roadmap with budget and KPIs.

How relocation affects business and ROI

Change of jurisdiction affects ROI through four channels: capital requirements (capital adequacy for EMI/PI), the cost of safeguarding (trust vs ring-fencing), compliance costs (CCO staff, TMS/RegTech), and taxes (transfer pricing, tax residency of management and the company). The solution developed at COREDO includes a financial model with sensitivity to de-risking of correspondents, sanctions screening and the probability of onsite inspections.

We reduce the financial model to metrics: CAC/LTV after transfer, the share of AML-related blocks, delays in cross-border payments (SEPA/SWIFT), and the “license price” in annual operating costs. With significant capital controls or currency regulation we add a liquidity risk coefficient.

Structure, substance and governance

Substance: not about the “legal address.” Regulators test managerial substance: whether management decisions are actually made in the jurisdiction, whether there is an office, key personnel, regular board meetings. I constantly stress to clients: lack of substance is a direct risk of license refusal and subsequent supervisory enforcement.

Corporate structure and tax optimization during relocation must comply with transfer pricing rules and tests of beneficial ownership of income. We use a matrix: functions (governance, risk management, AML), assets (TMS, core banking), risks (credit, operational) — and allocate them among group companies so that the tax residency of management does not conflict with the license and reporting.

Correspondent account compliance

De-risking of banking correspondents is one of the most painful topics. Banks terminate relationships when sanction pressure rises, when working with high-risk jurisdictions, or when screening against OFAC/EU lists is insufficient. I advise building correspondent banking relationship management as a strategic function: regular meetings, sanction compliance scenario tests, and reports on screening effectiveness.

The COREDO team implemented a sanctions framework for clients taking into account the FATF greylist, international sanctions control networks and local advisories. This helped protect positions in the payment rails and reduce the risk of sudden disconnections.

Licensing PSD2, EMI/PI, MiCA and VASP

Illustration for the section 'Licensing PSD2, EMI/PI, MiCA and VASP' in the article 'Relocating a fintech company between jurisdictions - regulatory traps'

Licensing and “migration” of licences comes to the fore when a company changes jurisdiction or product matrix: this concerns PSD2, EMI/PI, MiCA and VASP. Let’s examine which elements can actually be transferred when changing jurisdiction, and what will require re-certification and adaptation to new requirements.

License transfer when changing jurisdiction

The term “migration of an e-money licence” or “transfer of a payment institution licence” is often used, but literally the licence does not “move”. In most cases it refers to obtaining a new licence in the target jurisdiction, parallel work on passporting (if available in the EEA) and a structured wind-down of the old permission. Exceptions: rare cases of re-domiciliation while preserving legal succession, but this is rather a corporate reorganisation followed by reauthorisation.

COREDO’s practice confirms: a properly planned transition includes a regulator-agreed plan for transferring operations, safeguarding and communications with clients and agents. This reduces the risk of service interruption and supervisory claims.

Registration of an entity for PSD2 passporting

registration of a legal entity in the EU for fintech is not a formality, but the foundation for passporting. License passporting under PSD2 within the EEA allows providing payment services via notifications, but does not replace a local licence outside the EEA. Equivalence decisions improve cooperation and sometimes speed up banks’ due diligence, but do not substitute authorisations.

We start interaction with the regulator with pre-approval consultations and regulatory notifications. Supervisory cooperation simplifies the exchange of information when transferring clients and agents, especially if an agent distribution model is used.

Safeguarding and capital requirements

Capital requirements for EMI/PI depend on the volume of operations and the risk profile; capital adequacy is an area of close attention during relocation. I separately review models for safeguarding client funds: trust accounts, ring-fencing, escrow and trustee accounts. Regulators assess the frequency of reconciliation, the procedure for liquidity stress-testing and plans in the event of a partner bank default.

Liquidity and e-money requirements include rules on the immediate availability of funds and the independence of managers of client funds from the company’s commercial cashflow. During the transition period it is critical to ensure continuity of safeguarding and the correct transfer of balances.

MiCA, VASP and the travel rule in crypto

Licensing a crypto company in the EU is undergoing qualitative changes because of MiCA. VASP registration in Europe increasingly becomes a full authorisation with an emphasis on governance, risk management and consumer protection. The travel rule for crypto transactions is becoming a standard; non-compliance is a frequent reason for banks to refuse service.

Licensing crypto-assets requires a licensing checklist: descriptions of tokenomics, KYC procedures/CDD and EDD for PEP, transaction monitoring with SAR rules and on-chain analytics, as well as a sanctions screening policy covering EU and OFAC lists. The COREDO team runs MiCA projects with a focus on integrating AML systems and addressing conflicts between blockchain privacy technologies and regulatory expectations.

Licensing timelines

Timelines for obtaining a fintech licence in the EU usually range from 6 to 12 months, in Asia: from 4 to 9 months, depending on the completeness of the document package, substance and the maturity of compliance. There are sandbox programmes (FCA, MAS, BaFin) that shorten the path to product testing but do not replace full licensing. Sandbox exit strategy: a mandatory part of the plan: commercialisation, migration of clients and compliance with the full set of requirements.

Agreements on mutual recognition of licences are encountered sporadically, more often in capital markets or insurance, and not in payments and e-money. Therefore, when relocating a fintech I rely on local licensing or passporting within the EEA.

Sanctions framework during AML/CTF relocation

Illustration for the section 'Sanctions framework during AML/CTF relocation' in the article 'Moving a fintech company between jurisdictions - regulatory traps'

When relocating a company it is critically important to consider AML/CTF issues and build an effective sanctions framework to minimize legal and operational risks.

risk-based approach in AMLD5/AMLD6

Risk-based approach is the basic methodology. We combine FATF recommendations, AMLD5 and AMLD6 requirements and local empirical regulatory practices. The risk matrix includes geography, product type, customer behavior, partner and agent risk. FIU reporting obligations are documented specifying transaction thresholds, SLAs for filing SAR/STR and escalation procedures.

An important element is preparing for supervisory enforcement trends: regulators check not only the existence of a policy but also evidence of its implementation. I recommend conducting mock onsite inspections and independent AML audits before submitting the license.

KYC, CDD, EDD and UBO

KYC/CDD policies should cover identity, address and source-of-funds verification; EDD should pay attention to PEPs and customers from high-risk jurisdictions. KYB (Know Your Business) is mandatory for partners and agents, including verification of corporate structure, UBO and sanctions status.

Verification of beneficial owners (UBO) during relocation is often complicated by differences in beneficial ownership registers and the public availability of data. We use multiple sources to verify the beneficial owner: government registers, international databases, data provider reports and corporate documents with an apostille. This reduces the risk of a bank refusing onboarding.

Transaction monitoring and RegTech

Transaction Monitoring systems and SAR rules: the heart of the AML framework. I insist on risk-scoring models responsive to the patterns of the specific business, and on effectiveness metrics: share of alerts resulting in SARs, alert closure time, and escalation rate. AML monitoring metrics and KPIs for the CCO are formalized in the policy and reviewed quarterly.

Integration of AML systems during mergers and relocation requires migration of historical data, regression testing of rules and their implementation into core banking and TMS. The solution developed at COREDO includes a RegTech stack (KYC, KYB, TMS) taking into account GDPR, data localization and performance at peak volumes.

Sanctions and high-risk jurisdictions

Sanctions compliance: not only screening for OFAC/EU, but also a policy to control transactions with high-risk jurisdictions, monitoring the FATF greylist and local restrictions. The sanctions framework should be validated by regular testing, staff training and independent audit.

In international practice we see an increasing importance of engagement with correspondent banks on sanctions: joint tabletop exercises and analytical exchange help preserve access to SWIFT and the resilience of cross-border payments.

Operational: data, payment rails

Illustration for the section «Operational: data, payment rails» in the article «Moving a fintech company between jurisdictions - regulatory traps»

Operational issues include data, payment rails and outsourcing, three pillars on which regulatory compliance and service quality depend.

GDPR, localization and data privacy

Cross-border data transfers are subject to GDPR requirements and local personal data protection laws. Data localization may be required for specific markets; we define storage architecture and access routes in advance. Privacy conflicts between blockchain technologies and regulators are resolved through selective disclosure, cryptographic proofs and the delineation of controller and processor roles.

In critical processes: agreeing the DPA with providers, DPIA for high-risk operations and an incident response procedure.

Payment rails and anti-fraud

Cross-border payment rails (SEPA, SWIFT, IBAN) require strict compliance with AML and sanctions procedures. Anti-fraud controls and chargeback management must be synchronized with the TMS to avoid conflicting decisions and reduce false positives.

PSD2 SCA requirements for authentication apply in parallel. Incorrect SCA implementation hurts conversion, so we validate UX and risk-scoring for exemptions while maintaining compliance with regulatory expectations.

Compliance outsourcing and agents

Outsourcing compliance functions saves costs but carries risk. Regulators require the licensed entity to retain decision-making responsibility, to supervise the provider and to have a business continuity plan. I recommend splitting outsourcing into operational (KYC onboarding, screening) and analytical (model risk management) and explicitly defining metrics.

Agent banking and the agent distribution model are powerful tools, but regulatory traps are obvious: limits on delegating licensed functions, requirements for agent training and monitoring, and KYB for partner networks.

Safeguarding and wind-down during relocation

Safeguarding client funds during relocation: an area of heightened attention. The license closure procedure and transfer of operations must include agreement with the regulator, client notifications, transfer of trust/escrow agreements and an independent reconciliation of balances.

The contingency plan (contingency planning) provides for surrendering the licence and an orderly wind-down if relocation takes longer or the regulator requires additional conditions. This reduces legal and reputational risks.

Taxes and reporting in corporate governance

Tax issues, accurate reporting and corporate governance practices directly affect a business’s financial stability and managerial risks.

Tax consequences of transfer pricing

Tax consequences of changing a fintech’s jurisdiction affect overall profitability. Analysis of regulators’ expectations regarding transfer pricing and taxes is no less necessary than licensing analysis. Group reporting, transfer pricing policy and allocation of functions in the value chain must be aligned with substance and risk management.

We also take into account capital controls and currency regulation: restrictions on capital outflows, reporting on foreign exchange transactions and requirements for documenting intercompany settlements.

Supervision and reporting

Supervisory requirements and reporting for fintech companies vary, but the overall trend is increased frequency and depth. Regulatory notifications and pre-approval consultations reduce the risk of ‘surprises’. We prepare a package in advance for onsite inspections: policies, training logs, AML KPI reports, committee minutes.

Whistleblowing processes and internal investigations are a mandatory component. They are part of a risk management culture and an important element during inspections.

How governance affects reputation

The impact of corporate governance on obtaining a license cannot be underestimated. The composition of the board of directors, independent members, risk and compliance committees: these are signals to the regulator. Legal entity management during restructuring must ensure continuity of authority and transparency of beneficial ownership.

Reputational risk management and crisis PR are not secondary. Regulators and banks closely monitor incident management, information disclosure and readiness for stress.

M&A and due diligence: exit strategies

In M&A transactions for fintech companies, a detailed Due Diligence is especially important — it shows not only the financial condition but also the resilience of the technology platform and compliance with regulatory requirements.

Due diligence when buying a fintech

Acquiring a licensed asset speeds up market entry but increases risks. Due diligence when buying a fintech in another jurisdiction includes vendor due diligence, third-party risk, KYB checks of counterparties and agent networks. We check the quality of AML programs, the history of FIU reporting, inspection results and outstanding regulatory orders.

The COREDO team handles such deals with a focus on regulatory gaps and a remediation plan to avoid surprises after closing.

Mistakes when opening a subsidiary

Regulatory traps when opening a subsidiary include inconsistent functional allocation, attempting to rely on license passporting where a local license is required, and underestimating substance requirements. The solution is early dialogue with the regulator, a clear governance plan and a transparent intra-group revenue model.

De-risking by banks and the closure of correspondent accounts often follow from an unclear business model. Therefore I always include a bank relationship management program at the planning stage.

License refusal: Plan B

The consequences of a license refusal are not the end. Exit strategies include re-filing with remediations, relocating to an alternative jurisdiction, purchasing a licensed asset, or temporary operation through an agency model. A contingent plan must be ready before submitting the application: it saves months and protects P&L.

The assessment of costs and return on investment (ROI) of relocation is updated at every stage: new information from the regulator, requirements for staffing or safeguarding can change the initial assumptions.

COREDO case studies: three relocation scenarios

Relocating a payments business to the EU

Client: a payment organization with a PI in one EU country. Goal – expansion to multiple EEA markets. We conducted regulatory mapping, assessed PSD2 license passporting, prepared notifications and agreed on a plan to expand the agent network. At the same time we strengthened safeguarding: opened additional trust accounts and implemented daily reconciliation.

Result: 4 months of preparation and 2 months for passporting, with no interruption to operations. A bonus was reduced compliance costs thanks to the unification of the TMS.

Licensing a crypto company under MiCA

Client: a wallets and exchange services provider. We compiled a licensing checklist under MiCA, prepared KYC/CDD and EDD policies for PEPs, integrated the travel rule and on-chain analytics into the TMS. Special attention was paid to GDPR and cross-border transfer of personal data, including a DPIA and DPAs with providers.

As a result, the regulator accepted the application without significant queries, and partner banks accelerated onboarding thanks to a transparent sanctions policy and reports on effectiveness.

Relocation between Asia and Europe

A fintech licensed in Asia planned to enter the EU. We compared local license requirements in the EU and sandbox opportunities (FCA/BaFin), assessed substance and the tax residency of management. Interaction with the Asian regulator took into account the lack of mutual recognition of licenses, so we built a separate European structure with transparent transfer pricing.

The operational transition proceeded in stages: testing in the sandbox, applying for a license, migrating clients and surrendering part of the Asian products. The company retained access to SWIFT and expanded SEPA corridors without downtime.

Step-by-step plan: timeline

Preliminary audit (2–4 weeks)

Regulatory mapping and gap analysis.
Financial model: ROI, capital adequacy, safeguarding cost.
Assessment of substance, UBO and governance, sanctions and AML risk.

Registration of legal entity and substance (4–8 weeks)

company registration, opening an office, hiring key personnel.
Governance setup: committees, independent directors, conflict of interest policy.
Protocols for relationships with correspondent banks and agents.

Licensing (3–9 months)

Preparation of package for EMI/PI or VASP/MiCA.
AML implementation/KYC/CDD/EDD, TMS and sanctions screening.
Pre-approval consultations, responses to regulator requests, sandbox pilots if necessary.

Client and funds migration (4–12 weeks)

Plan for transfer of operations, notifications, contractual framework, travel rule and cross-border payments.
Safeguarding transfer: escrow/trustee, reconciliation, testing period.
Procedure for license termination and transfer of operations in the old jurisdiction.

Post-licensing oversight (12 months)

KPI for CCO, AML monitoring metrics, independent audit.
Onsite readiness, regular reports, whistleblowing processes.
Continuous improvement program and stress tests.

Fintech relocation checklist

Regulatory mapping and gap analysis for PSD2, MiCA, AMLD5/AMLD6.
Assessment of license passporting vs local license requirements.
Substance plan: office, staff, managerial substance tests.
Governance: board of directors, committees, CCO role policy.
AML program: risk-based approach, KYC/CDD, enhanced due diligence for PEPs.
KYB for partners and agents, vendor due diligence and third-party risk.
TMS: transaction monitoring, SAR rules, integration into core banking.
Sanctions compliance: OFAC/EU screening, control of high-risk jurisdictions, FATF greylist.
Safeguarding: trust vs ring-fencing, escrow and trustee accounts, liquidity tests.
Payment rails: SEPA, SWIFT, IBAN; anti-fraud and chargeback management.
GDPR: cross-border data transfers, data localization, DPIA and DPA.
Taxes: transfer pricing, tax residency of management and the company.
Supervision: FIU reporting obligations, supervisory cooperation, regulatory notifications.
Exit strategies: license refusal, contingency planning, license surrender and wind-down.
RegTech stack: AML, KYC, KYB, TMS; performance metrics and SLAs.
Plan for managing correspondent banks and de-risking consequences.
Analysis of equivalence decisions and mutual recognition agreements (where applicable).
Local agency networks and restrictions on delegating licensed functions.
Verification of data sources for verifying beneficial owners.
Reputational risk management and crisis PR.

COREDO’s role as a partner

Relocating a fintech company is the synchronization of licensing, AML/sanctions compliance, governance, data and taxes. A mistake in any one element leads to a chain reaction: banks’ de-risking, release disruptions, and prolonged regulator inquiries. COREDO’s experience shows that those who start with regulatory mapping and an honest assessment of substance, and then execute the plan precisely with KPI control, win.

The COREDO team has delivered projects in the EU, the UK, Singapore and Dubai while maintaining operational continuity, correctly migrating safeguarding and with predictable timelines for obtaining approvals. If you are preparing a change of jurisdiction for a fintech license, VASP registration in Europe, migration of a payment institution model, or implementing MiCA/PSD2/SCA, join the conversation at an early stage. My colleagues and I will apply a methodology proven by dozens of projects and build an architecture that will withstand supervisory reviews and deliver the ROI that motivates relocation.