How and Why Compliance Requirements Differ for PSPs, CSPs, and EMIs
Regulatory updates
Audit-readiness
If you have ever found yourself in a meeting where someone used the terms PSP, EMI, and CSP more or less interchangeably, you are not alone. From the outside, all three types of business operate in or adjacent to financial services, they all have compliance teams, they all deal with regulators, and they all take AML seriously. But the similarities mostly stop there.
Under EU law, these are three distinct entity types with fundamentally different regulatory footprints. A Payment Service Provider lives inside the payments licensing framework. An Electronic Money Institution issues stored value and is bound by a capital and safeguarding architecture that does not apply to most PSPs. A Corporate Service Provider sits outside the financial licensing regime entirely but carries heavy obligations as an AML-obliged entity with a uniquely high exposure to ownership structures and company formation risk.
Getting this distinction wrong has real consequences. It affects how you structure your compliance programme, what licences you need, how much capital you must hold, which regulators you report to, and how you prepare for the wave of regulation landing across the EU between now and 2027. This article unpacks all of it.
Why the Distinction Matters More Than Ever in 2026
The EU's regulatory landscape for financial services is in the middle of its most significant overhaul in a decade. The Digital Operational Resilience Act has applied since January 2025. The AMLA became operational in July 2025. PSD3 and the Payment Services Regulation reached provisional political agreement in November 2025, with formal adoption expected in 2026. And the Anti-Money Laundering Regulation, which creates a single rulebook replacing the old patchwork of AML directives, becomes fully applicable on 10 July 2027.
Each of these instruments lands differently on a PSP, an EMI, and a CSP. Understanding exactly where the weight falls on your specific entity type is no longer optional.
What Is a PSP, an EMI, and a CSP? Starting With the Basics
Before comparing compliance frameworks, it is worth being precise about definitions, because the terms get misused constantly.
A Payment Service Provider is the broad legal category covering any entity authorised to provide payment services. Under Directive (EU) 2015/2366 (PSD2), PSPs include payment institutions, credit institutions that offer payment services, e-money institutions, and account information and payment initiation service providers. So EMIs are technically a subset of the PSP category, but in practice the two terms are used to describe different types of businesses, which is why this article treats them separately, as the regulatory requirements genuinely differ.
An Electronic Money Institution is a specific entity type authorised under Directive 2009/110/EC (EMD2) to issue electronic money, which the law defines as electronically stored monetary value representing a claim on the issuer, issued on receipt of funds, and accepted by persons other than the issuer. The practical application is digital wallets, prepaid cards, multicurrency payment accounts, and stored-value instruments. EMIs can also provide all of the payment services that a payment institution provides, but the additional capability of issuing e-money creates a distinct compliance architecture around capital, safeguarding, and redemption rights.
A Corporate Service Provider is a different kind of entity altogether. CSPs incorporate and administer companies on behalf of clients, provide registered office and director services, manage trusts, and help businesses establish and maintain legal structures. They do not hold payment licences and are not subject to PSD2 or EMD2. What they are, firmly and unambiguously, is an AML-obliged entity under EU law, and they sit at the sharp end of the EU's anti-money laundering framework precisely because corporate structures are one of the most common tools used to disguise the ownership and movement of illicit funds.
The Licensing Layer: Who Needs What
The most fundamental difference between these three entity types is whether they require a financial services licence and, if so, what kind.
PSPs, in the specific sense of payment institutions that process payments without issuing e-money, require authorisation under PSD2 in an EU member state. The authorisation process involves submitting a business plan, demonstrating fit and proper management, holding minimum initial capital, and showing the regulator that internal governance, AML, and security frameworks are in place. Once authorised in one member state, the institution can passport its licence across the EU without separate authorisation in each country.
EMIs require a separate authorisation under EMD2, which carries its own requirements that are generally more demanding than a basic payment institution licence, reflecting the fact that the institution will hold stored monetary value on behalf of customers rather than simply processing transactions and moving funds on. As discussed below, this creates additional capital and safeguarding obligations. Like payment institution licences, EMI licences can be passported across the EEA.
CSPs require no financial services licence. They are regulated, but through a different mechanism. They are classified as obliged entities under the EU's AML directives, which means they must implement AML programmes, conduct customer due diligence, identify beneficial owners, and report suspicious transactions to Financial Intelligence Units. The regulatory oversight of CSPs happens through their national AML supervisor rather than a financial services regulator. In practice this often means a legal or company registry authority, a professional body, or a national supervisory body depending on the member state.
The important thing to understand here is that for PSPs and EMIs, the AML obligations sit on top of a financial services licence framework. For CSPs, the AML framework is the entire regulatory framework. That is a fundamentally different position, and it shapes everything about how compliance programmes are structured.
Capital Requirements: Where the Numbers Diverge Sharply
One of the most tangible differences between the three entity types is the minimum capital required to operate.
Under PSD2, payment institutions face tiered capital requirements based on which payment services they provide. The minimum initial capital ranges from €20,000 for money remittance services to €125,000 for payment institutions providing more complex services such as executing payment transactions, issuing or acquiring payment instruments, or operating payment accounts. These amounts are not the full picture; ongoing own funds requirements apply throughout operation and are linked to the volume of payment activity.
EMIs face a minimum initial capital requirement of €350,000 under Article 4 of EMD2, which is meaningfully higher than most PI tiers. Beyond that floor, the ongoing own funds requirement is calculated as the higher of €350,000 or 2% of average outstanding electronic money, meaning that as an EMI grows its wallet balances and stored value liabilities, the capital requirement scales with it. Regulators in many EU member states expect institutions to hold buffers of 120 to 150 percent of the regulatory minimum as standard practice.
CSPs have no minimum capital requirement in the regulatory sense. There is no regulator assessing the solvency or capitalisation of a company formation agent or trust administrator as a financial entity. What CSPs do need to invest in, often substantially, is the infrastructure to run a credible AML compliance programme: staff, technology, systems for screening, monitoring, and reporting. But that is an operational cost, not a regulatory capital mandate.
Safeguarding Customer Funds: The EMI Obligation That Others Do Not Share
Perhaps the sharpest technical difference in the compliance architecture is the safeguarding obligation that applies to EMIs and payment institutions but not to CSPs, and that applies to EMIs in a particularly strict form.
Under EMD2, an EMI must safeguard 100 percent of the funds received in exchange for e-money at all times. There are two permitted methods. The segregation method requires placing client funds in a dedicated ring-fenced account at an authorised credit institution, completely separated from the EMI's operational funds. The insurance or guarantee method requires a third-party guarantee equivalent in value to the e-money outstanding. Critically, an EMI cannot use safeguarded client funds for its own balance-sheet lending, and it cannot pay interest on e-money balances out of the safeguarded pool.
For payment institutions that do not issue e-money, a similar but slightly different safeguarding obligation applies when they hold client funds for more than a business day. PSD2 requires that those funds also be segregated, but the mechanics are calibrated to the fact that PIs do not hold balances in the same structural way as EMIs.
Under the framework of PSD3, which reached political agreement in November 2025 and is expected to formally enter into force during 2026, EMIs will eventually be absorbed into a unified payment institution category as EMD2 is repealed. The safeguarding rules will be broadly preserved in structure. One notable change is that PSD3 introduces a new option for payment institutions to safeguard client funds directly in an account held with a central bank, at the discretion of the relevant central bank, as a way of mitigating the concentration risk that arises when all client money is held with a single commercial bank.
CSPs have no client fund safeguarding obligation of this kind. They do not hold client money in exchange for electronic value, and the regulatory framework reflects this. The closest concept for CSPs is ensuring that client funds and company assets are not commingled with CSP operating funds, but this is a governance and professional standards issue rather than a regulatory capital mechanic.
AML Obligations: Common Ground With Very Different Risk Profiles
All three entity types carry AML obligations, and in broad terms, the framework is the same: conduct customer due diligence, identify beneficial owners, monitor transactions or business relationships for suspicious activity, and report to the relevant Financial Intelligence Unit when something does not add up. What differs is the source of the obligation, the intensity of the risk exposure, and the nature of what they are actually screening for.
For PSPs and EMIs, the AML obligation derives from their inclusion as "credit and financial institutions" within the scope of Directive (EU) 2024/1640 (AMLD6) and the forthcoming Regulation (EU) 2024/1624 (AMLR), both of which apply from 10 July 2027. These entities must apply customer due diligence at onboarding, maintain ongoing transaction monitoring, report suspicious activity, and apply enhanced due diligence for higher-risk customers including politically exposed persons, business relationships involving high-risk third countries, and correspondent relationships. The AMLR harmonises the beneficial ownership threshold EU-wide at 25 percent or more, with the European Commission retaining the power to lower it to 15 percent for specific higher-risk sectors.
For CSPs, the AML obligation derives from their classification as non-financial obliged entities. They sit alongside lawyers, notaries, accountants, and auditors as entities specifically identified as vulnerable channels for money laundering through the corporate structures and trust arrangements they help create and administer. The FATF's Recommendations 22 and 24, which the EU's framework implements, place specific obligations on trust and company service providers around beneficial ownership transparency. The practical risk profile is different from that of a PSP or EMI: a CSP's AML work is concentrated on understanding the people and beneficial owners behind the companies they incorporate and administer, mapping ownership structures, and recognising when a corporate architecture is being constructed to conceal rather than govern. A payment processor's AML work is concentrated on transaction flows and the behavioural signals of accounts and payment patterns.
A nuance worth noting is that CSPs often must carry out KYB checks on their own clients, in the same way that the PSPs and EMIs their clients use must also run KYB on those companies. The regulatory requirement to identify ultimate beneficial owners flows through every layer of the chain.
DORA: A Major Obligation for PSPs and EMIs That CSPs Do Not Currently Share
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025. Its requirements cover ICT risk management frameworks, major ICT incident reporting, digital operational resilience testing, and governance of third-party ICT service providers.
Critically, DORA's scope is defined by reference to entities regulated and supervised under EU financial services legislation. This means credit institutions, payment institutions, EMIs, account information service providers, and exempted PSP categories are all within scope. CSPs, not being financial services entities, are not currently within DORA's scope.
For PSPs and EMIs, DORA adds a substantial new layer of operational compliance on top of the existing AML and prudential requirements. Financial entities within scope must have comprehensive ICT risk management frameworks, maintain registers of their contractual arrangements with ICT third-party service providers, and report major ICT incidents to their national competent authority following defined timelines and templates. The European Banking Authority confirmed in February 2025 that its previous ICT and security risk management guidelines now apply only to the residual subset of PSPs not covered by DORA, precisely because DORA supersedes those guidelines for institutions within its scope.
For compliance teams at PSPs and EMIs, DORA is not an optional extra. It is live, it requires board-level engagement, and it demands specific documentation that national competent authorities can examine. For EMIs currently in the process of re-authorising under the PSD3 framework, DORA compliance evidence is expected to form part of any updated authorisation application package.
Transaction Monitoring and Reporting: How the Approach Differs
Transaction monitoring is another area where the three entity types share a common purpose but carry out their obligations in structurally different ways.
PSPs are required under PSD2, and more explicitly under the forthcoming PSR, to operate risk-sensitive, behavioural transaction monitoring mechanisms. The PSR goes further than PSD2 by explicitly requiring PSPs to implement monitoring capable of detecting potentially fraudulent transactions and to participate in structured fraud information sharing arrangements with other PSPs, subject to GDPR safeguards. The connection between transaction monitoring for fraud and transaction monitoring for AML is closer than it might appear: both require the same underlying data infrastructure, behavioural signals, and alert management capability.
EMIs face the same obligations as PSPs in this area, given that their payment service activities fall within PSD2's scope, with the additional complexity that they are monitoring both payment transactions and the stored-value activity of wallet balances, which can create different risk patterns than a pure payment processor sees.
For CSPs, transaction monitoring in the PSD2 sense is not relevant, because they are not processing payment transactions. What they are required to do under their AML obligations is monitor business relationships for unusual or suspicious activity throughout the life of those relationships, not just at onboarding. The timing and trigger for that monitoring is different: it is not real-time transactional screening but ongoing oversight of the client relationship, corporate filings, ownership changes, and any instructions or requests that sit outside the normal pattern of the relationship.
PSD3 and What Is Changing:
One of the most significant structural changes on the horizon is that PSD3, once formally adopted and transposed, will repeal EMD2 and absorb the EMI licence type into a unified payment institution framework. The European Parliament and Council reached provisional political agreement on this in November 2025, with formal adoption expected in 2026 and the compliance deadline expected in late 2027 to early 2028, given that institutions will have an 18-month implementation period.
For existing EMI licence holders, the transition is managed through a 24-month grandfathering period: existing licences remain valid without immediate re-application, but applications for re-authorisation under the new framework must be submitted within that period. For compliance teams at EMIs, this means the re-authorisation process should be in progress now, particularly given that DORA compliance evidence and updated governance documentation are likely to form part of any re-authorisation package.
For PSPs that are payment institutions, the practical impact of PSD3 is significant in several areas: stronger anti-fraud obligations including liability for certain impersonation scams, payee name verification requirements, updated strong customer authentication rules, and changes to the safeguarding regime. The new PSR framework moves many of these conduct rules out of a directive structure that had to be nationally transposed and into a directly applicable regulation, meaning they will apply uniformly across all EU member states from day one.
For CSPs, PSD3 is largely irrelevant. The changes in PSD3 are aimed at payment services and e-money issuance, neither of which CSPs engage in. CSPs will, however, feel the AMLR very directly when it applies in 2027, including new requirements around group-wide AML policies, appointment of a dedicated compliance officer, harmonised CDD standards, and updated beneficial ownership transparency requirements that will raise the bar on the depth of corporate structure analysis CSPs already perform.
The 2027 AMLR Horizon: What Every Entity Type Needs to Start Now
July 2027 is closer than it feels for compliance teams already managing current obligations. AMLA is publishing its batch of Regulatory Technical Standards throughout 2026, covering CDD criteria, risk factor guidelines, suspicious transaction reporting formats, and sector-specific requirements. These standards will define the detailed obligations that all three entity types must have embedded in their compliance programmes by the time the AMLR applies.
The practical implication is that 2026 is the preparation year. Entities waiting until mid-2027 to start adapting their AML frameworks, their beneficial ownership data structures, or their compliance officer governance arrangements will not have enough time to get it right.
Compliance Requirements Comparison: PSPs vs CSPs vs EMIs
The table below summarises the key compliance differences. It is based on the current EU legal framework (PSD2, EMD2, AMLD4/5, AMLR, DORA) and incorporates the known direction of PSD3 and the AMLR ahead of their 2027 application dates. Treat it as a navigational overview rather than a definitive legal reference, and always verify current requirements with qualified legal counsel given the pace of regulatory change.
Compliance Area | PSP (Payment Institution) | EMI (Electronic Money Institution) | CSP (Corporate Service Provider) |
|---|---|---|---|
Primary licensing framework | PSD2 (Directive 2015/2366); PSD3 from ~2027 | EMD2 (Directive 2009/110/EC) + PSD2; absorbed into PSD3 from ~2027 | No financial services licence; obliged entity under AML directives |
Minimum initial capital | €20,000 to €125,000 depending on services provided (PSD2, Annex I) | €350,000 minimum (EMD2 Article 4) | No regulatory capital minimum |
Ongoing own funds | Linked to payment volume; varies by activity | Higher of €350,000 or 2% of average outstanding e-money | Not applicable |
Safeguarding of client funds | Required for funds held beyond T+1 under PSD2; segregation from own funds | Required 100% at all times; segregation or insurance/guarantee under EMD2 Article 7 | Not applicable |
Can hold/issue e-money | No (requires EMI licence) | Yes, specifically authorised to issue e-money | No |
Can lend or take deposits | No | No | No |
AML obligations | Yes, as financial institution under AMLD4/5 and AMLR from 2027 | Yes, as financial institution under AMLD4/5 and AMLR from 2027 | Yes, as non-financial obliged entity under AMLD4/5 and AMLR from 2027 |
UBO threshold (AMLR 2027) | 25% or more (EC may lower to 15% for high-risk sectors) | 25% or more (EC may lower to 15% for high-risk sectors) | 25% or more (EC may lower to 15% for high-risk sectors) |
Strong Customer Authentication | Yes, under PSD2/PSR | Yes, under PSD2/PSR | Not applicable |
Transaction monitoring obligation | Yes, for payment fraud and AML under PSD2/PSR and AMLD | Yes, for payment fraud and AML under PSD2/PSR and AMLD | Yes, for AML under AMLD; focused on business relationship monitoring rather than real-time payments |
DORA (since January 2025) | Yes (payment institutions in scope) | Yes (EMIs explicitly in scope) | No (CSPs fall outside financial entities in DORA scope) |
Passporting rights across EEA | Yes, once authorised in one member state | Yes, once authorised in one member state | Not applicable in the same sense; AML supervision is national |
Primary regulator | National competent authority for financial services (e.g. central bank, financial regulator) | National competent authority for financial services (e.g. central bank, financial regulator) | National AML supervisor (varies by member state; may be professional body, registry authority, or dedicated supervisor) |
Suspicious activity reporting | Required to national FIU | Required to national FIU | Required to national FIU |
Record retention (AMLR 2027) | Five years from end of business relationship | Five years from end of business relationship | Five years from end of business relationship |
Why These Differences Exist: The Underlying Logic
Understanding the regulatory logic behind these differences helps compliance teams build programmes that hold up under scrutiny rather than simply passing a checklist.
The stricter capital and safeguarding requirements for EMIs relative to payment institutions exist because EMIs hold a liability: the e-money they issue represents a promise to the customer that the value can be redeemed on demand. That promise needs to be backed by real assets held safely. The regulatory framework is designed to make sure that if an EMI fails, customer funds survive the insolvency rather than disappearing into the general estate of the company.
The reason CSPs carry such intense AML obligations despite not being financial services entities is that corporate structures, trusts, and legal arrangements created by these firms are among the most exploited tools in financial crime. A CSP that incorporates a shell company, provides its registered office, and nominates a director without understanding who actually controls and benefits from that company has become an unwitting building block in someone else's money laundering architecture. The AML framework reflects the scale of that risk.
The reason PSPs and EMIs face DORA but CSPs do not is that digital infrastructure failure in a payment or e-money system has immediate systemic consequences for customers who cannot access their funds, and for the financial system's operational stability. A company formation agent suffering an IT incident does not carry the same category of risk, even though data security remains important for CSPs from a GDPR and business continuity perspective.
The Practical Compliance Gap That All Three Entity Types Share
Despite their differences, there is one area where PSPs, EMIs, and CSPs consistently face the same challenge: the quality and completeness of beneficial ownership data across their client relationships.
For PSPs and EMIs, this means knowing who actually controls the business clients they onboard, not just the company name and registration number. For CSPs, this is the core of what they do, but the increasing complexity of ownership structures means that verifying ultimate beneficial ownership to the standard regulators now expect requires more than a document collection exercise. It requires cross-referencing registry data, understanding layered ownership across jurisdictions, screening individuals against sanctions and PEP lists, and maintaining records that can withstand an auditor's scrutiny years after the relationship was established.
This is the space where having robust, auditable onboarding and ongoing due diligence infrastructure matters, and where the distinction between doing KYB as a compliance tick and doing it as a genuine risk management exercise becomes visible.
About SpeedyDD
SpeedyDD is a KYB and due diligence platform built for the compliance demands of regulated businesses: PSPs, EMIs, CSPs, iGaming operators, and the complex corporate structures they work with. Our mission is to help businesses that cannot afford a gap in their audit trail maintain compliance readiness as a default rather than as a last-minute exercise before an audit.
For PSPs, EMIs, and CSPs navigating compliance changes, SpeedyDD is built to support the compliance infrastructure that makes the difference between an audit that goes smoothly and one that does not.
Frequently Asked Questions
What is the main compliance difference between a PSP and an EMI?
The biggest structural difference is that EMIs are authorised to issue electronic money, which creates an additional compliance architecture around capital and safeguarding. An EMI must hold a minimum of €350,000 in initial capital under EMD2 and must safeguard 100 percent of customer funds at all times, either through segregation at a credit institution or through an insurance or guarantee arrangement. A payment institution that does not issue e-money faces lower minimum capital thresholds and a safeguarding obligation limited to funds held beyond a business day, rather than 100 percent coverage.
Do CSPs need a payment services licence?
No. Corporate service providers operate outside the payment services licensing framework under PSD2 and EMD2. They are, however, classified as obliged entities under EU AML law, which means they must implement AML programmes, conduct customer due diligence, identify ultimate beneficial owners, and report suspicious transactions to Financial Intelligence Units. The regulatory supervision of CSPs comes from their national AML supervisor rather than a financial services regulator.
Does DORA apply to CSPs?
No. DORA applies to financial entities regulated under EU financial services legislation, which includes payment institutions, EMIs, credit institutions, and account information service providers. CSPs fall outside this scope as they are not financial services entities. They remain subject to GDPR and general data protection obligations, and their own business continuity and information security standards will be relevant to their operations, but DORA does not apply to them as an EU regulatory obligation.
What does PSD3 mean for EMIs?
PSD3 will repeal EMD2 and absorb EMIs into a unified payment institution framework. Existing EMI licence holders benefit from a 24-month grandfathering period after PSD3 enters into force, during which their licences remain valid. EMIs must submit applications for re-authorisation under the new framework within that window. For compliance teams, the practical implication is that re-authorisation needs to begin well ahead of the deadline, as the process requires updated governance documentation, evidence of DORA compliance, and a full assessment against PSD3's updated requirements.
When does the EU's new AML Regulation (AMLR) come into force?
The AMLR (Regulation (EU) 2024/1624) becomes fully applicable on 10 July 2027, at which point it replaces the existing AML Directives as the single rulebook for all obliged entities across the EU. All three entity types covered in this article, PSPs, EMIs, and CSPs, will be subject to the AMLR from that date. AMLA is publishing the regulatory technical standards and guidelines that define the detailed requirements throughout 2026, which is why 2026 is the preparation year rather than a waiting year.
What is the beneficial ownership threshold under the new AMLR?
The AMLR harmonises the beneficial ownership threshold at 25 percent or more of shares, voting rights, or other ownership interests in a legal entity, which is a slight change from the existing directives that used "more than 25 percent." The European Commission can lower this threshold to 15 percent or below for specific corporate entities or sectors deemed higher risk. Compliance systems should be designed to accommodate the possibility of a lower threshold being applied without requiring a full rebuild.
How does AML transaction monitoring differ between PSPs, EMIs, and CSPs?
For PSPs and EMIs, AML transaction monitoring is tightly integrated with payment fraud detection. Both PSD2 and the forthcoming PSR require risk-sensitive, behavioural monitoring mechanisms that track transaction patterns in real time or near-real time. For CSPs, transaction monitoring in the payment sense does not apply. What applies is ongoing monitoring of client business relationships, including watching for unusual instructions, changes in ownership structures, or requests that sit outside the normal pattern of the engagement, in line with AML obligations rather than payment security ones.
Do all three entity types need to conduct KYB checks on their clients?
Yes, though the context and depth differ. PSPs and EMIs must conduct KYB on business clients as part of their customer due diligence obligations under AML law, identifying the legal entity, its registration status, and its beneficial owners. CSPs must also conduct KYB on the businesses they incorporate and administer, since their AML obligations require them to understand who ultimately controls and benefits from the corporate structures they help create. The depth of KYB required by CSPs is often greater, because the nature of their services puts them at the point where ownership structures are established rather than simply documented after the fact.
What should compliance teams at all three entity types be doing right now to prepare for 2027?
The most immediately useful steps are the same regardless of entity type. Map your current UBO data against the forthcoming AMLR's 25-percent-or-more threshold, because you almost certainly have relationships where the threshold change will require remediation. Review how your beneficial ownership verification is documented, since AMLA's forthcoming CDD technical standards will specify the information that must be collected and the sources that can be used. Build or confirm your compliance officer governance structure, as the AMLR requires a dedicated compliance function. And treat AMLA's 2026 technical standards publications as required reading, not optional background, since they will define the detailed standard against which regulators will assess your programme in 2027.
