user
Blog

How to Become a Regulated Payment Acquirer in the European Union: Legal Requirements and Frameworks

European Union requires navigating a complex regulatory landscape designed to ensure security, prevent financial crime, and protect consumers. This comprehensive guide outlines the legal requirements and frameworks necessary to become a regulated payment acquirer in the EU.

April 04, 2025
How to Become a Regulated Payment Acquirer in the European Union

What Is Payment Acquisition in the EU?

Payment acquisition refers to the process by which financial institutions enable a merchant to receive and process electronic payments from a customer. In the EU, this is part of payment services regulated by the Revised Payment Services Directive (PSD2) and other EU financial regulations.

For instance, if a customer goes to a brick-and-mortar store or purchases an item from an e-commerce website using a card payment, the payment acquirer is the financial institution that facilitates transaction processing on behalf of the merchant, communicates with card networks (Visa, Mastercard, etc.), and transfers funds from the customer's bank account to the merchant's account. Payment acquirers play an essential role within the payment ecosystem, ensuring compliance and security throughout the process.

The Scope of Payment Acquisition

The EU definition of payment acquisition entails the following:

  • Transaction processing on behalf of a merchant
  • Merchant's account provision
  • Merchant services provision
  • PCI compliance
  • Chargeback and dispute resolution
  • Terminal/software/hardware acquisition
  • Funding and settlement

The EU definition is somewhat vague yet all-encompassing. However, the Revised Payment Services Directive (PSD2) outlines that payment services providers must have a contractual agreement with a payer (merchant) to facilitate electronic payments and acquire payment transactions, involving the transfer of funds to the merchant's account. This payment acquisition process is one of the primary components of payment services.

Legal Requirements for Becoming a Payment Acquirer

To operate as a payment acquirer in the European Union, an entity must obtain authorization as a recognized Payment Service Provider (PSP) under the relevant regulatory framework. The requirements are primarily established by PSD2 (Directive (EU) 2015/2366), which defines the legal foundation for payment services across the EU.

Categories of Payment Service Providers

The EU regulatory framework recognizes several categories of entities that can provide payment services, including payment acquisition. Each category operates under different authorizations and requirements.

Credit Institutions

The term Credit Institution is synonymous with a bank. These are institutions that meet the capital qualifying requirements to be a bank, and they are allowed to provide payment acquisition services. Credit Institutions are regulated by the Capital Requirements Directive (CRD) and Capital Requirements Regulation (CRR).

Noteworthy Characteristics:

  • Comprehensive regulatory requirements
  • Regulated with capital and liquidity requirements of a higher-order
  • Able to offer all payment services
  • Regulated by national central banks/banking authorities
  • The regulatory approval process more time-consuming than other options
  • Greater responsibility in customer approvals

Electronic Money Institutions

An Electronic Money Institution (EMI) has the regulatory authority to issue electronic money and offer payment services, including payment acquisition services.

Noteworthy Characteristics:

  • Regulated by the Electronic Money Directive (EMD2)
  • Lower capital requirements than Credit Institutions
  • Able to issue electronic money and payment cards
  • Authorized to offer payment acquisition services
  • Subject to a lighter regulatory burden than Credit Institutions

Payment Institutions (PIs)

Payment Institutions (PIs) are licensed to provide only payment services, including payment acquisition services, but cannot hold deposits or issue electronic money.

Key Characteristics:

  • Regulated under the Revised Payment Services Directive (PSD2)
  • Lower capital requirements compared to Credit Institutions and EMIs
  • Exclusively provide payment services.
  • The most common license type for payment acquisition providers
  • Cannot hold deposits or issue electronic money

Post Office Giro Institutions

Post Office Giro Institutions are postal operators that provide payment service capabilities as part of their operations. These are regulated under national legislation permitting them to offer specific payment services.

Key Characteristics:

  • Governed by national legislation
  • May not be fully subject to PSD2
  • Rarely used for payment acquisition internationally
  • Historically significant within domestic payment services frameworks
  • Postal operators with the authority to offer payment services

Authorization Process for Payment Institutions

For most new entrants into the payment acquisition space, becoming authorized as a Payment Institution represents the most straightforward path. The authorization process generally involves the following key steps:

1. Submit an Application

The application to become a Payment Institution is submitted to the respective national competent authority (NCA) of the EU member states where the entity was founded. A typical application consists of the following:

  • Detailed business plan — intended payment services
  • Intended governance arrangements and internal control mechanisms
  • Security policy document — inherent operational risks and security risks
  • Business continuity arrangements
  • Identity and good repute of directors/persons responsible for management
  • Entity’s legal status and group relationships
  • Source of paid-up share capital

Although these requirements may differ from state to state, the European Banking Authority (EBA) has issued recommendations for many of them to maintain regulatory consistency.

2. Meet Initial Capital Requirements

Initial capital requirements are the next step in the process, and Payment Institutions must possess adequate starting capital based on the services provided. For example, when providing payment acquisition services, the starting capital requirement is typically €125,000.

This capital buffer serves to mitigate uncertainty and ensure fulfilment of regulatory obligations. It must be maintained throughout the duration of a Payment Institution's operations—not merely upon inception.

3. Demonstrate Management Competence

There is a requirement for qualified persons with sufficient knowledge, abilities, and management competence to run a Payment Institution. This involves:

  • Relevant professional qualifications of directors and senior management
  • Experience in financial services or payment services
  • Clean criminal and financial conduct record
  • Understanding of regulatory obligations
  • Ability to maintain compliance with PSD2

Regulators assess both the overall quality of the management team and the suitability assessment of each individual.

4. Establish Risk Management Procedures

Authorization and subsequent operation require comprehensive risk management procedures. These should include:

  • Treatment of operational risks: technical failures, human error
  • Treatment of security risks: fraud, hacking, data breaches
  • Business continuity arrangements
  • Outsourcing risks where third parties are involved
  • Liquidity and settlement risks
  • Anti-money laundering (AML) and counter-terrorist financing (CTF) controls

The risk methodology should reflect the nature, size, and complexity of the payment services offered.

5. Obtain Prudential Approval

The final step is to secure prudential approval from the NCA, confirming the entity is properly capitalized and has appropriate risk controls. Once authorized, the Payment Institution will be listed in the national register and the EBA central register.

The authorization is valid EU-wide through the passporting mechanism, allowing the Payment Institution to offer services in other member states after notifying its home state regulator.

Technical and Security Compliance Requirements

Payment acquirers must adhere to stringent technical and security standards to protect payment data and ensure the integrity of transactions.

Strong Customer Authentication (SCA)

As part of the Revised Payment Services Directive (PSD2), Strong Customer Authentication (SCA) is mandated for all electronic payments, requiring at least two elements from the following three categories:

  • Knowledge factor (i.e., something known only to the user, such as a password)
  • Possession factor (i.e., something held only by the user, such as a mobile device)
  • Inherence factor (i.e., something the user is, such as a fingerprint)

As a payment acquirer, the company must host its payment processing software on secure servers to support SCA compliance and proper authentication data processing. The payment acquirer must also have the technical infrastructure to:

  • Receive and process authentication data
  • Interface with issuers to receive transaction approval or denial
  • Grant authentication exemptions where allowed (e.g., low-value transactions, trusted beneficiaries)
  • Trigger fallback procedures if SCA fails

Secure Communication Standards

As a payment acquirer, Secure Communication Standards must be followed for all communications involving the transmission of payment information. This includes:

  • Adherence to the Regulatory Technical Standards (RTS) on secure communication
  • Use of Application Programming Interfaces (APIs) to allow third-party access
  • End-to-end encryption of sensitive payment data
  • Strong identity verification mechanisms

In addition, payment processors must comply with the Payment Card Industry Data Security Standard (PCI DSS), which defines requirements for the protection of card data security, including processing, storing, and secure data transmission of cardholder information.

Anti-Money Laundering and Counter-Terrorist Financing Compliance

The payment acquirer must have an Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) program in place to comply with the requirements of the AML Directives (EU).

Risk Assessment and Customer Due Diligence

Payment acquirers must conduct a risk assessment of their merchant customers and perform Customer Due Diligence (CDD) accordingly. CDD includes:

  • Implementing procedures for merchant identity verification
  • Understanding the intended purpose of the business and expected transactions
  • Conducting risk profile assessment based on geographic risk factors and transaction pattern analysis
  • Applying Enhanced Due Diligence (EDD) where required for higher-risk merchants
  • Performing ongoing monitoring of the business relationship and transaction activity
  • Maintaining accurate due diligence record-keeping

The level of due diligence must correspond to the level of risk: higher-risk merchants require enhanced measures, while simplified steps may be applied to low-risk relationships.

Sanctions Compliance

The payment acquirer must perform sanctions screening of merchants and payment transactions against applicable sanctions lists, including:

  • EU sanctions lists
  • UN sanctions lists
  • National sanctions lists
  • US OFAC lists (if applicable)

This requires the use of automated screening systems to match merchant and transaction data against updated sanctions lists. Payment acquirers must be capable of transaction blocking and fund freezing when a sanctions match is identified.

Operational and Ongoing Compliance Obligations

Once acquirers receive authorization, operational compliance must be maintained continuously. Compliance is not a one-time event; it is an ongoing obligation necessary to retain authorization and operate effectively within the EU.

Business Continuity Planning

Acquirers must implement robust business continuity planning to ensure the uninterrupted provision of payment services during disruptions. This includes:

  • Identifying and documenting critical business functions and dependencies
  • Defining recovery time objectives
  • Establishing backup systems and alternative processing arrangements
  • Maintaining internal and external communication procedures during disruption
  • Regularly testing and updating the business continuity plan

These measures must align with the nature, scale, and complexity of the payment acquisition services provided.

Regulatory Reporting

Regulatory reporting to the home state authority is a continuous requirement for payment acquirers. Obligations include:

  • Financial reporting (quarterly and annual)
  • Incident reporting of major operational or security disruptions
  • Fraud Reporting
  • Suspicious transaction reporting in line with AML requirements
  • Notifying changes to senior management or core business activities
  • Statistical reporting of payment volumes and values

Although timelines may vary by jurisdiction, all regulators require up-to-date insights into the financial health and operational stability of the payment acquirer.

Passporting Across Member States

A key benefit of EU authorization is the ability to use passporting rights. Once authorized in one member state, a payment acquirer may offer services across the EU without separate licenses in each country.

The passporting process includes:

  • Filing a notification with the home state authority detailing planned activities in other member states
  • The home state authority notifies each host state authority
  • After notification, operations may commence in host states

While passporting falls under a harmonized framework, acquirers must also comply with conduct of business rules in each host state, particularly those related to consumer protection and market conduct.

By adhering to the EU's regulatory framework, a payment acquirer can operate across the EU's payment ecosystem, ensuring the security, integrity, and consumer protection objectives underpinning these regulations are met.