Board Oversight in Payment Institutions & Electronic Money Institutions
Why governance in payment institutions is different
Payment institutions and electronic money institutions operate in a regulatory environment that has matured faster than the governance structures of many firms.
These organisations often grow rapidly, rely heavily on outsourced technology and operational partners, and manage client funds without being structured like traditional banks. As a result, supervisory authorities increasingly focus not only on compliance functions but on the effectiveness of the board of directors.
​
In recent years, regulatory expectations have shifted. Supervisors no longer assess only whether policies exist. They assess whether the board understands the risks, challenges management decisions and can demonstrate active oversight. Directors are expected to evidence informed judgement, not passive approval.
​
This creates a new reality for boards: governance is no longer a formal requirement — it has become a risk function in itself.
​
​​
Why regulators now focus on the board
​Across Europe, supervisors have identified that many incidents in payment institutions did not originate from a lack of regulation, but from insufficient board oversight. Rapid business models, dependence on third-party providers, safeguarding of client funds and operational resilience require board involvement that goes beyond reviewing management reports.
​
Regulators increasingly expect directors to:
​
-
understand the business model and revenue flows
-
challenge risk assessments presented by management
-
oversee outsourcing and agent arrangements
-
ensure safeguarding mechanisms function in practice
-
understand operational and IT dependencies
​
The responsibility of the board is therefore no longer limited to approving policies. It now includes demonstrating that the board actively supervises how risks are managed.
What directors are now expected to actually oversee
Boards of payment and electronic money institutions are increasingly expected to demonstrate active oversight, not only formal approval. Supervisory expectations now go beyond reviewing policies or receiving management reports. Directors must be able to show informed challenge and understanding of how the business operates in practice.
​
In particular, directors should ensure they have sufficient visibility over the following areas.
​
Safeguarding of Client Funds
Directors should understand where client funds are held, how reconciliations are performed and what occurs in the event of operational disruption. Safeguarding is no longer purely operational — it is a board accountability matter.
​
Outsourcing and Agent Oversight
Payment institutions often rely on third-party providers and agents. Boards are expected to oversee selection, monitoring and contingency planning. Reliance on outsourcing does not reduce director responsibility.
​
Operational Resilience & IT Dependency
Technology failure can immediately halt business activity. Directors should understand system dependencies, incident escalation processes and recovery capabilities — not only receive technical summaries.​
​
AML and Conduct Risk Exposure
Financial crime exposure and customer treatment remain supervisory priorities. Directors should understand how monitoring functions operate in practice and where vulnerabilities may exist.
​
Risk Reporting & Management Information
Effective oversight requires reporting that enables judgement. Boards should ensure that management information supports challenge rather than merely confirming compliance.
​​
Where boards are most frequently exposed
In supervisory reviews, findings often do not arise because policies are missing, but because oversight is insufficiently demonstrated. Boards frequently receive detailed documentation yet have limited ability to assess whether risks are truly understood and managed in practice.
​
A common pattern is reliance on well-prepared dashboards that confirm compliance while masking operational reality. Directors may approve frameworks without visibility into how processes function day to day, particularly where activities are outsourced or technologically complex.
​
Supervisory attention increasingly focuses on whether directors can evidence informed challenge. The expectation is not technical expertise, but engaged oversight — asking relevant questions, understanding the answers and following up where necessary.
What this means for directors in practice
For many boards, the implication is not that additional policies are required, but that board processes must evolve.
Effective oversight now depends on how meetings are structured, what information is requested and how interaction with management and control functions is organised.
​
Directors may need clearer reporting lines from control functions, deeper discussion on operational risks and more direct understanding of critical service providers. In many cases, relatively small adjustments to board agendas, reporting formats and escalation processes significantly improve oversight.
​
The objective is not to manage the business, but to ensure the board can demonstrate informed supervision appropriate to the institution’s risk profile.
Board perspective
This page reflects a board-level interpretation of supervisory expectations based on practical experience in regulated financial institutions. It is not intended to replace legal or compliance advice, but to help directors understand how regulatory developments translate into their own responsibilities.
​
Each institution has different governance challenges depending on its business model, growth stage and operational structure. A focused discussion often helps clarify which areas require attention and how oversight can be strengthened proportionately.
​
Recent supervisory developments, including the new CSSF circular applicable to payment institutions, further clarify board expectations and oversight responsibilities.
You can read a detailed board-level interpretation here:
CSSF Circular 26/906 — Why governance is now a board-level growth issue for payment fintechs
​
​
​
Request a governance discussion
Sonja Hilkhuijsen, Founder & Independent Non-Executive Director – Linkvalue
📩 sonja@linkvalue.lu
​