The Compliance Challenges of High-Growth Payment Companies
Compliance management
PSP

Growth is supposed to feel like momentum. For a payment company, it usually does, right up until the compliance function starts showing the cracks.
The challenge that catches so many payment companies off guard is not that compliance becomes harder as they grow. It is that it becomes harder in ways they did not see coming, and at a pace that their existing processes were never designed to handle. An onboarding workflow that worked fine at two hundred business clients a month starts breaking down at two thousand. A transaction monitoring setup that was adequate for a single-country operation becomes a liability the moment you start processing payments across multiple EU member states. A compliance team of three people that was perfectly capable when the business was small becomes dangerously overstretched when the business is not.
This article is about those specific challenges. Understanding what these challenges actually are is the starting point for managing them.
The Authorisation Gap: When Your Licence Does Not Keep Up With Your Product
The first and most structurally important challenge for a high-growth payment company is the gap between what a company is licensed to do and what it is actually doing.
Payment companies grow by expanding. They add new payment corridors. They start offering services in new EU member states. They add product features that shift the nature of the payment services they provide. Every one of those expansions carries potential licensing implications that a company's original authorisation may not cover, and regulators pay close attention to the distance between what a licence says and what a company is actually doing.
The EBA's December 2025 follow-up peer review on the authorisation of payment institutions and EMIs is worth reading carefully if you are at a growing payment company. The review found that the median authorisation process in the EEA, from submission of an application, now takes 9.5 months. Delays are most commonly caused by incomplete or poor-quality applications and the time needed to address deficiencies that regulators identify once a review begins. The review also found that while supervisors have improved efficiency, divergent implementations of governance and internal control requirements across member states persist and risk creating regulatory arbitrage.
What this means in practice is that if your business is growing and your licence needs updating or extending, you are looking at a process that takes the better part of a year even when it goes smoothly. Planning that journey around your product roadmap, rather than reacting to it after a product decision has already been made, is one of the clearest compliance advantages a high-growth payment company can build.
The PSD3 transition adds a specific urgency to this for EMIs. The forthcoming Payment Services Directive 3 and Payment Services Regulation, which reached political agreement in November 2025 and is expected to enter into force in 2026, will repeal Directive 2009/110/EC (EMD2) and absorb EMIs into a unified payment institution category. EMIs will have 24 months from the date PSD3 enters into force to re-authorise under the new framework, with an extension to 30 months available in some cases. Any EMI that has not mapped its current compliance position against PSD3's updated requirements and begun preparing its re-authorisation application is already behind the realistic planning curve.
The Onboarding Bottleneck: Speed Versus Rigour at Scale
For a payment company whose business model depends on getting merchants, platforms, or business customers onboarded quickly, the compliance onboarding process is the most commercially visible friction point in the business.
The challenge is structural. PSD2 (Directive (EU) 2015/2366) and the forthcoming AMLR both require that financial institutions verify the identity of business customers, identify and verify their ultimate beneficial owners, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring throughout the life of that relationship. These are not box-ticking exercises. They are substantive checks that require real data from real sources, and which must be documented in a way that can be reproduced for a regulator or banking partner on request.
The onboarding volume that comes with high growth makes that requirement exponentially harder to meet manually. Payment companies that have been growing fast often discover, usually around the time a banking partner requests a third-party audit or a regulator asks for a sample of onboarding files, that the documentation quality of their onboarding records does not match the volume of approvals they have made. Fast onboarding and rigorous documentation are not inherently in conflict, but they require automation at the data-gathering and record-keeping level to coexist at scale.

What makes the business customer onboarding challenge particularly acute for payment companies is that the clients they are onboarding are businesses with ownership structures of their own. A payment company that processes payments on behalf of e-commerce merchants, for example, needs to understand not just the merchant company but the people who own and control it. Layered ownership structures, holding companies across multiple jurisdictions, and nominee arrangements all require more than a document collection exercise to satisfy the beneficial ownership identification requirements that apply under the current AML Directives and which will be further harmonised under the AMLR from July 2027.
The AMLR sets the beneficial ownership threshold at 25 percent or more of shares, voting rights, or other ownership interests, which is a small but meaningful change from the existing directives that used "more than 25 percent." It is the kind of definitional shift that requires updating onboarding workflows, questionnaires, and the data fields your system actually captures, not just noting the change in a policy document.
Read also: What to automate first in your compliance process
The Instant Payments Challenge: Compliance at the Speed of Settlement
The EU's Instant Payments Regulation, Regulation (EU) 2024/886 amending the SEPA Regulation, introduced one of the most operationally demanding compliance requirements EU payment companies have faced in recent years. Every payment covered by the regulation must complete within ten seconds, 24 hours a day, on any calendar day. That timeline does not pause for compliance checks.
The sanctions screening requirement that accompanies the Instant Payments Regulation is one that payment companies have found particularly complex to implement correctly. PSPs must verify at least daily whether any of their payment service users are persons or entities subject to targeted financial restrictive measures. Critically, the regulation does not permit transaction-by-transaction sanctions screening of instant payments in the way that was common practice for standard credit transfers. The screening obligation shifts to a customer-based model: screen the customer base against the EU's consolidated sanctions list, at minimum daily, so that when an instant payment is processed, the compliance check has already happened at the customer level rather than needing to complete within the ten-second payment window.
For payment companies that grew up screening transactions rather than customers, this requires a meaningful rethinking of the screening infrastructure. Non-bank PSPs, including payment institutions and EMIs, must meet receiving requirements for instant payments by April 2027 and sending requirements by July 2027, giving them more time than the banks that faced the initial January 2025 deadline, but that time is closing fast.
The operational pressure is compounded by the fraud risk that instant payments carry. The EBA has confirmed that the risk of fraudulent transfers is up to ten times higher in instant credit transfers compared to regular credit transfers. For a growing payment company that is building its fraud detection capability at the same time as it is scaling its transaction volumes, the combination of higher fraud risk and a ten-second settlement window is a genuine operational challenge that requires investment in real-time monitoring infrastructure well before the regulatory deadline arrives.
The Verification of Payee requirement, which mandates IBAN-name matching before an instant payment is executed, adds another layer of complexity. PSPs must be able to return a match, no match, or close match result based on checking whether the payee IBAN corresponds to the name provided. This requires both technical integration with the payee's PSP and a data quality standard in the underlying customer records that many growing payment companies are still working toward.
The AML Infrastructure Gap: Building for Tomorrow's Volume Today
One of the most quietly damaging patterns in high-growth payment companies is the AML infrastructure gap: the difference between the monitoring and reporting capability a company built when it was smaller and the one it actually needs at its current scale.
This gap has a specific shape. Transaction monitoring systems are configured with rules that reflect the transaction patterns and volumes of a company at the time those rules were written. As the business grows, transaction volumes increase, payment corridors diversify, client risk profiles become more varied, and new products create new transaction types. Without active rule maintenance and recalibration, the transaction monitoring system generates more noise and less signal: alert volumes grow, analyst capacity stays the same, and the time available for genuine investigation shrinks.
The AMLR will reinforce this challenge from July 2027 by requiring every obliged entity to have a named compliance officer with sufficiently high hierarchical standing, who bears personal responsibility for the day-to-day operation of the AML/CFT programme and specifically for reporting suspicious transactions to the Financial Intelligence Unit. That personal accountability structure cannot coexist with a transaction monitoring setup that generates more alerts than the compliance team can meaningfully review. The compliance officer who signs off on a suspicious transaction report is accountable for the judgment behind it. That judgment requires actual capacity to investigate.
The practical implication for growing payment companies is that the investment case for scaling AML infrastructure is not simply regulatory. It is also about protecting the compliance officer and the management body from a position where the regulatory obligation they carry is structurally impossible to discharge with the tools and team they have.
The EBA's guidelines on the role of AML/CFT compliance officers provide useful context here. They set clear expectations that the compliance officer must have sufficient authority and resource to carry out their function effectively, including the ability to escalate concerns to the management body. A compliance officer without adequate tooling or adequate team capacity to support their oversight role is not a compliance function that meets the spirit, or the letter, of what regulators expect.
DORA: The Operational Resilience Requirement That Cannot Be Delegated to IT
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied to payment institutions and EMIs since 17 January 2025. For a high-growth payment company, it creates compliance obligations that span technology, governance, and third-party risk management in ways that cannot be resolved by the IT team alone.
DORA requires payment institutions and EMIs to maintain a comprehensive ICT risk management framework that is defined, approved, and overseen by the management body, not just implemented by a technical team. It requires a complete register of contractual arrangements with ICT third-party service providers, including cloud providers, payment processing infrastructure, and any SaaS tool that forms part of the operational technology stack. It requires major ICT-related incidents to be reported to the national competent authority within defined timelines and in defined formats.
For a growing payment company, the DORA compliance challenge is specifically that the ICT environment grows faster than the governance documentation that is supposed to cover it. A payment company at the beginning of its growth journey might have a handful of key technology vendors. Two years later, after several product builds, technology partnerships, and infrastructure decisions made under commercial time pressure, it may have thirty or forty. Producing a DORA-compliant register of those arrangements retroactively is substantially harder than maintaining it as each relationship is established.
The ESAs published their first annual report on DORA major ICT-related incidents in June 2026, noting 3,383 major incidents reported across EU financial entities in the first year of the framework's application, with around a third having cross-border impact. For compliance teams at payment companies, this is a useful benchmark: ICT incidents at the scale DORA defines as major are not rare events at a company processing meaningful payment volumes. The incident classification, documentation, and reporting workflow needs to exist and be practiced before an incident occurs.
Banking Partnerships and De-risking: The Compliance Posture Problem
There is a specific operational reality for high-growth payment companies that rarely makes it into regulatory guidance but shapes the compliance function profoundly: banking partners are conducting their own assessment of your compliance posture, and that assessment directly affects your ability to operate.
Banks that provide settlement accounts, safeguarding account infrastructure, or correspondent banking services to payment companies are themselves subject to their own regulatory obligations. When they assess a payment company as a counterparty, they are effectively reviewing that company's compliance framework against the standard they would need to meet if the company's risk were their own. Payment companies that cannot demonstrate clean, documented, reproducible compliance records, covering onboarding files, transaction monitoring processes, SAR procedures, and governance structure, are perceived as high-risk counterparties.
The consequence in practical terms is that payment companies with poor compliance documentation can face banking relationships being reviewed, terms being tightened, or in the most serious cases, banking services being withdrawn. The disruption to operations that follows is not a regulatory sanction in the formal sense. It is arguably more damaging in the short term, because it can affect the ability to operate before any formal regulatory action has been taken.
For growing payment companies, this is an argument for treating compliance documentation quality as a commercial priority rather than purely a regulatory one. The compliance file that a banking partner wants to see is substantially the same one that a regulator would want to see. Building it properly as part of the growth process, rather than retrospectively when a relationship comes under pressure, is one of the clearest risk-management decisions a payment company can make.
The Compliance Challenges Comparison: By Growth Stage
The table below maps each major compliance challenge to the regulatory obligation it connects to, the stage of growth at which it typically becomes acute, and the practical consequence of not addressing it in time.
Compliance Challenge | Regulatory Basis | Growth Stage When It Becomes Acute | Practical Consequence if Not Addressed |
|---|---|---|---|
Licence scope not matching product evolution | PSD2 Art. 5 authorisation requirements; PSD3 from ~2027 | Early to mid growth, when product expands beyond original scope | Operating outside licence scope; regulatory intervention; banking partner risk |
EMI re-authorisation under PSD3 | PSD3 (political agreement Nov 2025); EMD2 repeal from ~2027 | Now, for any existing EMI | Missed 24-month window; gaps in ongoing authorisation; DORA evidence not ready |
Onboarding volume outpacing documentation quality | AMLR Art. 20 CDD, Art. 52 UBO identification | Mid growth, when manual onboarding cannot keep pace | Incomplete audit trail; banking partner audit failures; regulatory examination findings |
Beneficial ownership data gaps | AMLR 25% threshold (from July 2027); current AMLD4/5 requirements | Mid growth, as client base diversifies into complex structures | CDD failures; inability to demonstrate UBO verification; EDD deficiencies |
Instant Payments Regulation: daily customer sanctions screening | EU Instant Payments Regulation (Regulation 2024/886); non-bank PSP deadlines April to July 2027 | Any PSP/EMI planning to offer instant payments | Non-compliant payment operations; reporting obligations not met; sanctions exposure |
Instant Payments Regulation: Verification of Payee | EU IPR; European Payments Council VoP Scheme Rulebook | Pre-deadline preparation phase | Technical non-compliance; fraud liability not mitigated as required |
AML transaction monitoring: rules not calibrated to current volume or risk profile | AMLR, forthcoming PSR, PSD2 Art. 95 | Mid to late growth, as transaction diversity increases | Alert fatigue; genuine suspicious activity missed; SAR quality deteriorates |
AMLR compliance officer: personal accountability for SAR filing | AMLR Art. 74 (from July 2027) | Any stage, once AMLR preparation begins | Compliance officer exposed to personal regulatory risk without adequate tooling |
DORA: ICT third-party register not maintained | DORA Art. 28 (applies since January 2025) | Any stage for licensed PSPs and EMIs | Incomplete register; inability to report incidents within required timelines |
DORA: management body not owning ICT risk framework | DORA Art. 5 (applies since January 2025) | Any stage for licensed PSPs and EMIs | Governance finding in regulatory examination; incident response not governed correctly |
Banking partner de-risking due to compliance posture | Not a regulatory obligation on the PSP but consequence of regulatory obligations on the banking partner | Any stage when banking partner reviews counterparty risk | Loss of settlement account or safeguarding account; operational disruption |
What High-Growth Payment Companies Usually Get Right, and Where the Gap Appears
It is worth being honest that most high-growth payment companies are not ignoring compliance. Most take their AML obligations seriously, invest in screening tools, and have compliance officers who understand the regulatory landscape. The challenge is less about intent and more about the structural mismatch between how quickly compliance infrastructure needs to scale and how quickly it actually does.
The gap most commonly appears in three places.
First, in the quality and completeness of documentation rather than the existence of processes: the process exists, but the record of it is not good enough to survive scrutiny.
Second, in the calibration of monitoring tools to the current risk profile of the business rather than the risk profile it had when the tools were configured.
Third, in the governance layer: boards and senior management teams that are deeply engaged with commercial performance but less engaged with the specific compliance obligations that sit at board level under DORA, the AMLR, and PSD3.
Closing these gaps is not primarily a technology problem. It requires deliberate investment in compliance infrastructure at the same pace as investment in commercial growth, and a compliance function with enough seniority and resource to run an effective programme rather than just maintaining a minimum viable one.

About SpeedyDD
SpeedyDD is a KYB and due diligence platform. Our mission is to help complex, regulated businesses, PSPs, EMIs, CSPs, iGaming operators, and the financial institutions that work with them, maintain compliance readiness by design. That means automating the data-gathering and record-keeping layers of KYB so that the compliance officer and the MLRO can focus on the judgment-dependent work that only they can do.
With access to more than 3000 corporate registry data sources across more than 200 countries and territories and direct integration with The KYB for registry data retrieval, SpeedyDD supports the onboarding and ongoing due diligence workflows that determine whether a growing payment company's compliance record holds up under scrutiny. Every verification, approval, and decision is logged automatically, so the audit trail is already there when it needs to be. Learn more here
Frequently Asked Questions
What are the biggest compliance risks for a fast-growing payment company in the EU?
The most acute risks are: operating outside the scope of an existing payment institution or EMI licence without recognising it; having KYB onboarding documentation that does not meet the standard a regulator or banking partner expects; failing to implement the daily customer-based sanctions screening required by the Instant Payments Regulation; not maintaining a DORA-compliant ICT risk management framework; and not scaling the AML transaction monitoring capability at the same pace as transaction volumes. Each of these creates real regulatory exposure; the combination of several of them creates the conditions for a serious supervisory finding.
Does the EU Instant Payments Regulation apply to payment institutions and EMIs?
Yes, though on a later timeline than banks. Under the Instant Payments Regulation, non-bank PSPs including payment institutions and EMIs must meet receiving requirements by April 2027 and sending requirements by July 2027. The daily customer-based sanctions screening obligation, which replaces transaction-level screening for instant payments, applies within the same timeframe. Payment companies that are not yet building toward these deadlines are running out of preparation runway.
What does PSD3 mean for EMIs specifically?
PSD3 will repeal EMD2 and absorb EMIs into a unified payment institution category. Existing EMI licence holders will have 24 months from the date PSD3 formally enters into force, with publication in the Official Journal expected in 2026, to re-authorise under the new framework. Any EMI that has not mapped its existing compliance position against PSD3's requirements should treat this as urgent, particularly given that DORA compliance evidence is expected to form part of re-authorisation applications and DORA has already applied since January 2025.
How does DORA apply to a growing payment company?
DORA has applied since 17 January 2025 to payment institutions and EMIs. It requires these entities to maintain a comprehensive ICT risk management framework overseen by the management body, a complete register of contractual arrangements with ICT third-party service providers, major ICT incident reporting to the national competent authority within defined timelines, and resilience testing programmes. For growing payment companies, the most common gap is the ICT third-party register: as the technology stack grows, the register needs to grow with it, and many companies are maintaining a DORA register that does not reflect their actual vendor landscape.
What is the 10-second rule under the Instant Payments Regulation and what does it require from compliance?
The Instant Payments Regulation requires that all instant credit transfers complete within ten seconds, 24 hours a day, on any calendar day. This timeline is too short for transaction-level sanctions screening, which is why the regulation introduces a daily customer-based screening model: PSPs must screen their customer base against the EU's consolidated financial sanctions list at least once daily. The compliance implication is that the screening infrastructure needs to be customer-level and continuous, not transaction-level and reactive.
How does high transaction volume create compliance risk even when monitoring tools are in place?
Transaction monitoring tools are configured with rules based on a specific understanding of the business's transaction profile at a point in time. As volumes grow and the customer mix diversifies, those rules may no longer reflect the actual risk distribution of the portfolio. Rules calibrated for a lower-volume, single-market business can produce high false-positive rates at scale, overwhelming analyst capacity, or may miss new typologies of suspicious activity that did not appear in the original rule set. Regulators increasingly expect compliance programmes to demonstrate ongoing effectiveness rather than just the existence of controls, which means rule recalibration is an ongoing responsibility, not a one-time implementation task.
What is the AMLR beneficial ownership threshold change and why does it matter for payment companies?
The Anti-Money Laundering Regulation, applicable from 10 July 2027, harmonises the EU-wide beneficial ownership threshold at 25 percent or more of shares, voting rights, or other ownership interests. The existing AML Directives use "more than 25 percent," meaning that an ownership stake of exactly 25 percent triggers identification under the AMLR but not under the current directives. For payment companies onboarding business customers, this means the data fields collected at onboarding, and the logic used to determine who must be verified as a UBO, need to be updated to capture the at-or-above threshold, not just above it.
Can a payment company's banking partner actually withdraw services based on compliance concerns?
Yes. Banks that provide settlement accounts, safeguarding accounts, or correspondent banking services to payment companies conduct their own assessment of the counterparty's compliance posture as part of their own regulatory obligations. If a bank concludes that a payment company's compliance framework does not meet the standard it expects from a counterparty, it can review the terms of that relationship, restrict services, or in serious cases withdraw them. This is not a formal regulatory sanction against the payment company, but the operational disruption is comparable. Maintaining documented, reproducible compliance records is therefore a commercial priority as much as a regulatory one.
What should a high-growth payment company do right now to prepare for the AMLR in 2027?
The most time-sensitive actions are: map the current beneficial ownership data against the AMLR's 25-percent-or-more threshold to identify which existing business client relationships will require remediation; confirm that the compliance officer has the seniority, resource, and tooling to discharge personal responsibility for SAR filing as the AMLR requires; review the transaction monitoring rules and calibrate them against the current risk profile of the business; engage with the AMLA technical standards being published throughout 2026, which define the detailed CDD, reporting, and governance requirements that must be embedded by July 2027; and treat 2026 as the preparation year, not the waiting year.
