Services — 03

Regulation &
Compliance

Regulatory compliance in financial services is not a legal exercise — it is an operational discipline. From licensing and AML programmes to regulatory reporting and tax compliance, the organisations that manage it well treat regulation as a design constraint, not an afterthought, building compliance into processes and systems rather than layering it on top.

PSD2 / PSD3

The payment services directives continue to reshape how payments are processed, authenticated, and governed across Europe. PSD2's Strong Customer Authentication requirements, while technically specified, generated significant operational complexity in implementation. PSD3 and the accompanying Payment Services Regulation bring further changes to open banking, liability frameworks, and consumer protections.

Subite has worked on PSD2 implementation programmes from both the technical and regulatory sides — including SCA RTS interpretation, open banking API design, and national competent authority engagement.

  • SCA implementation strategy and technical advisory
  • RTS on SCA interpretation — exemptions, exclusions, fallback logic
  • Open banking compliance assessment — account access, consent management
  • PSD2 to PSD3 gap analysis and migration planning
  • Liability regime analysis for payment service providers
  • National competent authority interaction support
  • PIS and AIS service design for open banking

AML / KYC

Anti-money laundering and know-your-customer obligations sit at the intersection of regulatory requirement, operational efficiency, and customer experience. Overly conservative approaches impede onboarding; under-investment creates regulatory and reputational risk. The right calibration requires domain experience as much as technical knowledge.

Subite approaches AML/KYC design from the operational level — how teams actually run these programmes, where the friction and the risk actually sit, and what controls are genuinely effective versus performative.

  • Transaction monitoring framework design and tuning
  • Customer risk assessment and scoring model design
  • KYC programme design — individual and corporate, tiered approach
  • Suspicious activity reporting process design and governance
  • Correspondent banking AML framework
  • AML policy and procedure development
  • Third-party vendor selection for KYC/TM tooling
  • Regulatory examination preparation

EMI / PI Licensing

Obtaining and maintaining a payment institution or e-money institution licence requires sustained organisational capability, not just a successful application. The regulatory expectations for governance, risk management, and operational resilience have increased significantly across European jurisdictions in recent years.

Subite supports both new applicants and existing licence-holders. For new applicants, the work covers regulatory strategy and application preparation. For existing licence-holders, it covers the ongoing programme management that keeps the licence in good standing.

  • EMI/PI licence application advisory and preparation
  • Regulatory business plan development
  • Governance and risk framework design for licence applications
  • Licence passporting strategy across EEA
  • Ongoing licence management and compliance monitoring
  • Regulatory relationship management and regulator engagement
  • Wind-down plan design — regulatory requirement and practical planning

eIDAS & Digital Identity

eIDAS and its successor regulation (eIDAS 2.0) define the legal framework for electronic identification and trust services across the EU. For payment services businesses, eIDAS intersects with SCA, open banking, and digital identity initiatives including the European Digital Identity Wallet.

  • eIDAS compliance assessment for payment service providers
  • Qualified trust service implementation advisory
  • Electronic signature integration strategy — qualified vs advanced
  • EU Digital Identity Wallet readiness assessment (EUDIW)
  • Remote identity verification programme design
  • eIDAS 2.0 gap analysis and transition planning

Regulatory Reporting & Tax Compliance

Regulated financial services businesses carry reporting obligations across multiple dimensions — prudential returns, transaction reporting, statistical disclosures, and increasingly, tax-related compliance such as DAC7, CRS, and FATCA. These obligations are often underestimated until a deadline or a regulatory enquiry makes them urgent.

Subite approaches regulatory reporting as an operational design problem — structuring data flows, report generation, and governance processes so that compliance is sustainable rather than heroic.

  • Prudential reporting framework design for EMIs and PIs
  • Transaction reporting obligations — PSD2 fraud reporting, ECB statistical
  • DAC7 compliance programme design for platforms and marketplaces
  • CRS and FATCA reporting framework and due diligence procedures
  • Tax compliance programme design for cross-border payment flows
  • Regulatory reporting data architecture and automation
  • Supervisory engagement and reporting calendar management

Compliance Frameworks

Sustainable compliance requires structured frameworks, not heroic effort. The three lines of defence model, properly implemented with clear roles and effective management information, creates regulatory resilience without organisational paralysis.

Subite designs compliance frameworks that work — meaning they are proportionate to the organisation's size and risk profile, generate useful management information, and survive the scrutiny of a regulatory examination.

  • Compliance framework design and implementation
  • Three lines of defence model design for financial services
  • Policy hierarchy development and governance design
  • Regulatory change management process design
  • Board-level compliance reporting and MI design
  • Compliance monitoring programme design
  • Regulator relationship management support

Navigating a regulatory challenge?

Regulatory programmes benefit from early external input — before positions are established and before the programme scope is fixed. Get in touch early.

Get in touch