top of page

Board Governance for Payment Institutions and Electronic Money Institutions 

Connecting governance, safeguarding, AML/CFT, DORA, PSD2/PSD3 and MiCAR through effective Board oversight. 

Independent directors and governance experts discussing board oversight and regulatory governance

Payment Institutions and Electronic Money Institutions operate in one of the most complex governance environments within financial services.

 

Boards are expected to oversee not only strategy and growth, but also safeguarding of client funds, AML/CFT obligations, operational resilience, outsourcing arrangements, ICT and cyber risk, customer protection and an evolving regulatory landscape shaped by PSD2, the forthcoming PSD3 framework, DORA, MiCAR and increasing supervisory expectations.

As fintech business models scale, regulatory requirements do not operate in isolation. Safeguarding connects to operational resilience. Outsourcing influences cyber risk. AML/CFT controls depend on the quality of governance, management information and internal controls. Boards are therefore increasingly expected to understand not only individual regulatory obligations, but also how these obligations interact across the organisation.​

​

This represents a significant shift in supervisory expectations. Regulators increasingly assess not only whether policies and governance frameworks exist, but whether Boards can demonstrate effective oversight, informed judgement, independent challenge and accountability for key decisions and regulatory outcomes.

​

For many regulated fintechs, governance has become more than a compliance requirement. It has become the mechanism through which Boards connect growth, risk management, operational resilience and regulatory accountability.

​​​

Governance is no longer simply a regulatory requirement — it has become a critical risk management function in its own right.​​


Recent supervisory developments in Luxembourg further reinforce this shift. Governance must not only exist formally, but be demonstrable within the Luxembourg entity itself, with decision-making, accountability and oversight effectively anchored locally.​

What Effective Board Oversight Looks Like

Board oversight is not demonstrated by receiving information. It is demonstrated by understanding risks, challenging assumptions and exercising independent judgement.

​Across Europe, supervisors have identified that many incidents in payment institutions did not originate from a lack of regulation, but from insufficient board oversight. Rapid business models, dependence on third-party providers, safeguarding of client funds and operational resilience require board involvement that goes beyond reviewing management reports.

​

​​Regulators increasingly expect directors to:​​​​​​​​​​​

​

PSD2 / PSD3

Safeguarding of Client Funds

​

Directors are increasingly expected to understand how client funds are protected, monitored and governed in practice.

AML/CFT

Financial Crime Risk

 

Boards oversee customer due diligence, sanctions compliance, transaction monitoring and the effectiveness of AML governance arrangements.

DORA

ICT & Operational Resilience

 

Directors are expected to understand operational resilience, cyber risks, ICT dependencies and incident management capabilities.

Outsourcing & Agents

Third-Party Governance

​

Boards remain accountable for outsourced activities and should understand critical dependencies and contingency arrangements.

Governance, Management Information & Board Challenge

​​

Effective oversight depends on reliable management information, informed challenge and independent judgement.

Governance connects safeguarding, financial crime, operational resilience and third-party risk through informed Board oversight.

Risk culture reinforces escalation, accountability and constructive challenge, ensuring that issues are identified, discussed and addressed before they become governance failures.

The responsibility of the Board is no longer limited to approving policies.

​

It now includes demonstrating active oversight, informed challenge and accountability for how risks are managed.

One Board, Multiple Regulatory Frameworks

Boards of Payment Institutions and Electronic Money Institutions increasingly oversee obligations arising from multiple regulatory frameworks simultaneously.

​

While PSD2/PSD3, AML/CFT, DORA and MiCAR are often discussed separately by legal, compliance, risk and technology teams, supervisors increasingly assess how these obligations operate together through the institution's governance framework.

 

  • A safeguarding issue may reveal weaknesses in operational resilience.

​

  • An outsourcing dependency may expose ICT and cyber risks.

​

  • AML findings may highlight deficiencies in governance, management information or internal controls.

 

For Boards, the challenge is no longer understanding each regulation in isolation.

It is understanding how these obligations interact across the organisation and ensuring that governance provides effective oversight across all of them.​

The most significant governance risks often arise not from a single regulation, but from the connections between them.

Where boards are most frequently exposed

In supervisory reviews, findings often do not arise because policies are missing, but because oversight is insufficiently demonstrated. Boards frequently receive detailed documentation yet have limited ability to assess whether risks are truly understood and managed in practice.​

​

A common pattern is reliance on well-prepared dashboards that confirm compliance while masking operational reality. Directors may approve frameworks without visibility into how processes function day to day, particularly where activities are outsourced or technologically complex.

​​

Supervisory attention increasingly focuses on whether directors can evidence informed challenge.

 

The expectation is not technical expertise, but engaged oversight — asking relevant questions, understanding the answers and following up where necessary.

 

In parallel, supervisors increasingly assess how governance decisions translate into action.

​

Supervisory reviews now frequently focus on the traceability of remediation. When weaknesses are identified by control functions or auditors, institutions must be able to demonstrate how these issues are prioritised, assigned to responsible functions, monitored and ultimately resolved.

What this means for directors in practice

For many Boards, the implication is not that additional policies are required, but that Board processes must become more evidence-based.

​

Effective oversight now depends on how meetings are structured, what information is requested, how management is challenged and how interaction with Compliance, Risk, Internal Audit, Finance and ICT functions is organised.

 

Under CSSF Circular 26/906, Boards are expected to demonstrate sound and prudent management, proportionate governance arrangements, effective internal controls and adequate oversight of safeguarding, outsourcing, risk management and central administration.

Board governance and strategic oversight for Payment Institutions and Electronic Money Institutions

This also connects directly to broader regulatory expectations:

​

  • PSD2 / PSD3 reinforces Board attention on safeguarding of client funds, operational security, fraud prevention, incident reporting and customer protection.

​

  • AML/CFT requires effective governance of customer due diligence, sanctions screening, transaction monitoring, financial crime risk assessments and escalation of suspicious activity.

​

  • DORA places operational resilience, ICT risk, cyber security, incident management, third-party risk and business continuity firmly within Board oversight.

​

  • MiCAR, where applicable, adds governance expectations around crypto-asset services, e-money tokens, reserve assets, disclosures and market conduct.

​

Boards are also increasingly expected to articulate why their governance arrangements are proportionate to the institution’s size, complexity, risk profile and operational model. This proportionality assessment should be documented, challenged and reviewed as the business evolves.​

The practical question for directors is therefore no longer only:

Have we approved the policy?”

 

It is increasingly:​

Can we demonstrate why we relied on the information, how we challenged management and how we satisfied ourselves that the framework operates in practice?

Board perspective

The challenge for Boards is no longer understanding individual regulations. It is understanding how risks, data, strategy and stakeholder expectations connect across the organisation and demonstrating effective oversight.

​

Recent supervisory developments, including CSSF Circular 26/906, reinforce growing expectations around Board accountability, informed challenge, evidence-based governance and independent judgement.

 

As an Independent Non-Executive Director and Board Advisor, I help Boards strengthen oversight across PSD2/PSD3, AML/CFT, DORA, safeguarding, outsourcing, data governance and operational resilience, while bringing an independent perspective that supports effective decision-making, diversity of thought and sustainable value creation.

 

You can read a detailed board-level interpretation here:
CSSF Circular 26/906 — Why governance is now a board-level growth issue for payment fintechs

​​​​

Request a governance discussion

​

Sonja Hilkhuijsen, Founder & Independent Non-Executive Director – Linkvalue

📩 sonja@linkvalue.lu

​

bottom of page