Regulatory Advisory

Regulatory Advisory & Licensing Support

The regulatory landscape for payment businesses has never been more complex or more consequential. PSPs, EMIs, neobanks and acquirers must navigate overlapping licensing regimes, evolving scheme obligations, AML/CFT requirements and cross-border FX controls — often simultaneously across multiple jurisdictions. FinPay Consultants provides practitioner-led regulatory advisory that translates complexity into workable, implementable compliance programmes.

Overview

The Regulatory Landscape for Payment Businesses

Payment businesses operate within a multi-layered regulatory environment. At the foundation sits the licensing regime of the jurisdiction in which they are authorised — the FCA in the UK, national competent authorities across EU member states under PSD2, the CBUAE in the UAE, the MAS in Singapore. On top of licensing obligations sit scheme membership rules (Visa, Mastercard), AML/CFT frameworks (FATF, AMLD6, local MLR equivalents), and cross-border payment regulations that govern FX transactions and cross-border fund flows.

For neobanks and fintechs launching across multiple regions, the complexity multiplies: a single card programme may require EMI authorisation in the EU, FCA registration in the UK, CBUAE licensing in the UAE and MAS authorisation in Singapore — each with different capital requirements, safeguarding rules, AML obligations and scheme registration processes. FinPay Consultants manages this complexity for clients, providing unified regulatory programme management across jurisdictions.

Our Regulatory Advisory Covers

  • Licensing and authorisation across EU, UK, GCC and APAC
  • Visa and Mastercard scheme membership — Principal and Associate
  • AML/CFT programme design aligned to FATF Recommendations
  • Cross-border payment regulations: FEMA, CBUAE, Bank Negara
  • SWIFT correspondent banking due diligence frameworks
  • Open banking regulatory compliance (PSD2, OBIE, FAPI)
Licensing

Licensing & Authorisation

EU: Payment Institution (PI) under PSD2, Electronic Money Institution (EMI) and EMD Agent

Under the revised Payment Services Directive (PSD2), payment institutions providing regulated payment services must obtain authorisation from a national competent authority in an EU member state. PSD2 Annex I defines eight payment service categories; initial capital requirements range from €20,000 (money remittance only) to €125,000 (PI with PISP or merchant acquiring). An Electronic Money Institution (EMI) licence also permits e-money issuance, with a higher initial capital requirement of €350,000.

An EMD Agent is a natural or legal person acting on behalf of an authorised EMI to distribute and redeem e-money — a lighter-touch model that does not require separate authorisation but is subject to the liability and registration requirements of the principal EMI. FinPay Consultants advises on jurisdiction selection for EU authorisation (balancing regulatory timeline, supervisory quality and passporting considerations), prepares programme of operations documentation, and manages the authorisation process from initial filing through to grant of licence.

UK: FCA Authorisation — PI, EMI and RAISP

The UK Financial Conduct Authority (FCA) authorises Payment Institutions under the Payment Services Regulations 2017 (PSRs) and Electronic Money Institutions under the Electronic Money Regulations 2011 (EMRs). Post-Brexit, UK authorisation is entirely independent of EU authorisation; EU passporting no longer operates in either direction. The FCA also authorises Registered Account Information Service Providers (RAISPs) — a registration-only (not authorisation) category for entities providing account information services only, subject to a simplified qualification process.

FCA authorisation requires: minimum initial capital (£50,000 for PI, £350,000 for EMI), a robust programme of operations, a wind-down plan, safeguarding arrangements (segregation of relevant funds or insurance), MLRO appointment, business plan with five-year financial projections, and fit and proper assessment of all controllers and senior managers under the Senior Managers and Certification Regime (SM&CR). FinPay Consultants prepares complete FCA application packs and manages the assessment process.

GCC Region: CBUAE, SAMA, CBB and CBK Regulatory Frameworks

The Gulf Cooperation Council presents a diverse regulatory landscape for PSPs and fintechs:

  • UAE (CBUAE) — The Central Bank of the UAE licences Retail Payment Services Providers (RPSPs) under the Retail Payment Services and Card Schemes Regulation. Licence categories include payment account issuance, payment initiation, payment instrument issuance, merchant acquiring, and money remittance. The CBUAE also regulates the domestic Jaywan card scheme and the Instant Payment Platform (IPP).
  • Saudi Arabia (SAMA) — The Saudi Central Bank licences payment service providers, fintech sandbox participants, and domestic scheme operators. The Open Banking Framework (launched 2022) enables regulated TPP access to bank account data. SAMA's Fintech Saudi initiative provides a regulatory sandbox for innovative payment business models.
  • Bahrain (CBB) — The Central Bank of Bahrain licenses payment service providers under the CBB Rulebook Volume 5 (Specialised Licensees). Bahrain hosts the BENEFIT Company, which operates the domestic interbank payment network and national payment infrastructure.
  • Kuwait (CBK) — The Central Bank of Kuwait regulates electronic payment services and e-wallet operators. The Kuwait Payment Network (KNET) operates the national domestic card scheme under CBK oversight.

APAC: MAS PSA Singapore, RBI PPI Licence India, HKMA SVF Licence

Key APAC licensing frameworks for payment businesses include:

  • Singapore (MAS) — The Payment Services Act 2019 (PSA) establishes a risk-based licensing framework across seven payment service activities. Entities processing above defined thresholds require a Major Payment Institution (MPI) licence; below-threshold entities qualify for a Standard Payment Institution (SPI) licence or an exemption. The MAS PSA was substantially amended in 2021 to expand the scope of regulated digital payment token services.
  • India (RBI) — The Reserve Bank of India licences Prepaid Payment Instruments (PPIs) under the Payment and Settlement Systems Act 2007. Two PPI categories exist: Small PPIs (limited KYC, restricted to purchase of goods/services) and Full-KYC PPIs (full interoperability with bank accounts and UPI). PPI issuers must also comply with RBI's Master Directions on Prepaid Payment Instruments.
  • Hong Kong (HKMA) — The Hong Kong Monetary Authority (HKMA) licences Stored Value Facilities (SVFs) under the Payment Systems and Stored Value Facilities Ordinance. Multipurpose SVF licencees (e.g., Octopus, WeChat Pay HK, Alipay HK) are subject to capital requirements, float safeguarding, AML/CFT obligations and ongoing supervisory reporting.
Scheme Membership

Visa & Mastercard Scheme Membership

Visa Principal vs. Associate Membership Requirements

Visa Principal membership grants full participation rights: ownership of a BIN range, direct settlement with VisaNet, ability to issue and/or acquire under the Visa brand, and direct access to Visa scheme services. Requirements include minimum net worth of USD 10 million (or local regulatory equivalent), regulatory authorisation as a deposit-taking institution or payment institution, signed Visa Member Agreement, compliance with Visa Core Rules and Visa Product and Service Rules, and technical connectivity to VisaNet (direct or via a certified VisaNet processor).

Visa Associate membership is available for entities that do not qualify for or wish to pursue Principal membership. Associates participate under a Principal member's sponsorship, with the Principal assuming liability to Visa for all Associate transactions. The Associate model is commonly used by EMIs, programme managers and fintech card issuers. FinPay Consultants advises on membership tier selection and manages the Visa membership application and technical certification process.

Mastercard Principal Licence and Affiliate Licence

Mastercard's Principal Licence is the highest membership tier, granting direct settlement rights, BIN ownership and full access to Mastercard scheme services. Principal members must satisfy Mastercard's financial soundness requirements, regulatory licensing conditions, and technical certification requirements including MTIP (Mastercard Terminal Integration Process) for acquirers and issuer host certification for issuers.

The Mastercard Affiliate Licence enables participation under a Principal member. Affiliates must be registered by their sponsoring Principal in the Mastercard Connect portal and comply with Mastercard's scheme rules through the Principal's liability framework. Post-membership, all Mastercard members are subject to ongoing compliance obligations: annual SDP (Site Data Protection) programme compliance reporting, participation in scheme fraud monitoring programmes (EFM, ECM), and adherence to Mastercard Rules updates published quarterly.

AML / CFT

AML/CFT for Payment Businesses

The Financial Action Task Force (FATF) Recommendations establish the global baseline for anti-money laundering and counter-terrorist financing. For payment service providers, FATF Recommendation 14 (money or value transfer services), Recommendation 15 (virtual assets) and Recommendation 16 (wire transfer travel rule) are directly applicable.

FATF Recommendations for PSPs

FATF Recommendation 14 requires that money or value transfer services are licensed or registered in each jurisdiction in which they operate, maintain an AML/CFT programme, and are subject to supervision. PSPs must conduct risk assessments of their products, delivery channels and customer types; implement commensurate CDD and EDD measures; and file suspicious transaction reports with the relevant financial intelligence unit. FinPay Consultants designs AML frameworks that satisfy both FATF standards and the local implementation standards of target licensing jurisdictions.

Transaction Monitoring & Suspicious Activity Reporting

Effective transaction monitoring requires a combination of rules-based controls (velocity limits, structuring detection, geographic risk flags) and model-based anomaly detection. Alert calibration must balance false positive rate (which drives operational cost) against detection rate (which drives regulatory compliance). FinPay Consultants advises on monitoring system selection, rules design methodology, alert threshold calibration, and the SAR/STR filing quality standards expected by the NCA (UK), FinCEN (US) and CBUAE AMLSCU (UAE).

PEP / Sanctions Screening

Screening against Politically Exposed Person (PEP) lists and sanctions lists (OFAC SDN, EU Consolidated List, UN Security Council, HMT Financial Sanctions, and local equivalents) must be embedded in both customer onboarding (name screening) and ongoing transaction monitoring (payment message screening). FinPay Consultants advises on screening platform selection, fuzzy matching threshold optimisation, false positive reduction strategies, and the regulatory notification obligations that arise from confirmed sanctions matches — including asset freezing procedures and competent authority reporting timelines.

Cross-Border

Cross-Border Payment Regulations

SWIFT Correspondent Banking Due Diligence

Correspondent banking relationships — the basis for most cross-border payment flows — require comprehensive due diligence between correspondent and respondent banks. SWIFT's Know Your Customer (KYC) Registry provides a standardised platform for exchanging due diligence documentation. Correspondent banks are increasingly applying enhanced due diligence standards aligned to the Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire (CBDDQ), covering AML governance, transaction monitoring capabilities, sanctions screening procedures, and FATF Travel Rule compliance for wire transfers.

FinPay Consultants advises payment institutions on building the due diligence documentation package required to establish and maintain correspondent banking relationships, and on managing the risk of de-risking by global correspondent banks.

FX Regulations: FEMA (India), CBUAE (UAE), Bank Negara (Malaysia)

Cross-border payment businesses must navigate specific FX regulatory frameworks in each market:

  • FEMA (India) — The Foreign Exchange Management Act 1999 governs all cross-border FX transactions in India. Payment aggregators and payment gateways facilitating cross-border e-commerce must obtain RBI authorisation under the PA-PG guidelines, comply with reporting obligations under FEMA, and ensure all inward remittances are reconciled against underlying import transactions or permissible capital account transactions.
  • CBUAE (UAE) — The Central Bank of UAE regulates foreign exchange and remittance businesses under the Retail Payment Services and Card Schemes Regulation. Cross-border remittance providers must be licensed as RPSPs and comply with CBUAE's AML guidelines for money remittance, including real-time sanctions screening of all outbound transfers and FATF Travel Rule compliance for transfers above AED 3,500.
  • Bank Negara Malaysia (BNM) — BNM regulates cross-border payment services under the Financial Services Act 2013 and the Money Services Business Act 2011. MSB licensees must comply with BNM's AML/CFT policy documents for money services business and the Foreign Exchange Policy on cross-border payment reporting obligations.

Frequently Asked Questions

PCI DSS v4.0, effective March 2024 with all new requirements mandatory from March 2025, introduces several material changes. Customised Implementation allows organisations to demonstrate compliance via a defined approach or a customised approach (previously called compensating controls) with greater flexibility but requiring an assessor to validate control effectiveness. New requirements include: targeted risk analysis for each requirement where the organisation determines its own frequency; multi-factor authentication (MFA) required for all access into the cardholder data environment, not just remote access (Req 8.4.2); expanded e-commerce security requirements including integrity of payment page scripts (Req 6.4.3) and HTTP security headers; and network security controls replacing the term "firewall" to encompass cloud-native controls. Organisations still on PCI DSS 3.2.1 should begin gap assessment immediately.

PSD2 Strong Customer Authentication (SCA) requires that electronic payment transactions in the EEA use at least two independent factors from: something the user knows (PIN, password); something the user has (device, card); something the user is (biometric). For card-not-present transactions this is operationalised through 3DS 2.x — the issuer's ACS evaluates the transaction and either approves frictionlessly via risk-based authentication (RBA) or challenges the cardholder. SCA exemptions available to acquirers include: low-value transactions below €30 (cumulative limits apply); merchant-initiated transactions (MITs); and transaction risk analysis (TRA) exemptions where the acquiring PSP's fraud rate is below defined thresholds (0.01–0.13% depending on amount). Issuers may honour or override exemption requests; ultimately the issuer determines authentication requirements.

Payment service providers processing EU/EEA cardholder data are subject to GDPR as data processors (and often as joint controllers with merchants). Key obligations include: maintaining a Record of Processing Activities (RoPA) for all cardholder data processing; ensuring Data Processing Agreements (DPAs) with all sub-processors, including scheme networks, fraud bureaux, and cloud infrastructure providers; applying data minimisation — do not retain PAN data beyond the authorisation/settlement cycle unless there is a lawful basis; and implementing technical measures (tokenization, truncation, point-to-point encryption) to reduce personal data exposure. Cross-border data transfers (e.g. scheme authorisation routing through US-based networks) must be covered by Standard Contractual Clauses (SCCs) or Binding Corporate Rules. Data breach notification to the supervisory authority is required within 72 hours.

Navigate regulation with confidence.

Whether you are applying for an EMI licence, joining a card scheme or building an AML/CFT programme from the ground up, FinPay Consultants provides the specialist guidance you need to move forward efficiently and compliantly.

Speak to a Regulatory Adviser