Financial compliance for platforms: why regulatory compliance is a priority in embedded banking

Software platforms can become the financial hub for their customers. They can offer business accounts with a local Spanish IBAN, payments, and cards inside the product itself, without forcing customers to juggle banks, invoicing tools, and external expense apps. But there is a common brake: fear of the regulatory complexity of PSD2 and of having to build internal compliance teams for every market.

An integrated finance or embedded banking project works best when regulatory compliance is built in from the beginning. This way, teams can innovate quickly without carrying regulatory risk.

This article explains why compliance matters in the fintech industry. It then reviews the possible operating models and what is required to stay compliant in each.

The regulatory challenge: why compliance is decisive in embedded finance

To execute monetary transactions without becoming a bank, businesses must operate under the strict regulatory framework for Electronic Money Institutions (EMIs). EMIs like Swan can operate with more technological flexibility than a traditional bank, but they have fundamental limitations, such as being unable to grant credit.

EMIs sit within the fintech ecosystem, which enables technology companies to hold customer funds and execute monetary transactions without the structure of a traditional bank.

PSD2 regulation, the Bank of Spain, and AML obligations

EMIs operate under the PSD2 European directive, which harmonizes rules to ensure reliable digital payment processes, protect consumers from fraud, and set the conditions for new technology companies to compete safely with traditional banks in funds management.

PSD2 is transposed into Spanish law through Royal Decree-law 19/2018, which complements Law 21/2011, specific to electronic money. These laws establish strict oversight coordinated by the Bank of Spain to protect the integrity of the monetary system.

Companies must comply with very specific operational and transparency obligations:

1. Activity restrictions: Regulated intermediaries are prohibited from creating their own digital money. Legally, their activity is restricted to marketing, executing, or refunding financial transactions, always acting under the name of the licensed institution.
2. Registration procedures: The banking partner or technology provider must register in the official register managed by the Bank of Spain, which has 60 days to assess the moral and professional suitability of the responsible parties before validating operations.
3. Strict capital oversight: Businesses must produce detailed reports on internal monitoring protocols aimed at combating fraud and the financing of criminal activity. Even if an agent performs the tasks, ultimate responsibility for ensuring an environment free from money laundering remains with the main authorized entity registered as an EMI.

Without a well-structured AML function, the license risks being revoked due to insufficient internal oversight.

Fintech compliance rules: requirements to embed financial infrastructure into your platform

A non-bank company has different options for embedding financial infrastructure into its platform while complying with PSD2 and Bank of Spain obligations:

• Becoming an authorized EMI

• Buying an existing service

• Using a Banking as a Service (BaaS) provider

• Partnering with an embedded finance provider that takes on compliance

Requirements and responsibilities vary depending on the model.

Becoming an authorized EMI

Obtaining a license to operate as an EMI requires an initial capital outlay of €350,000 as a minimum solvency requirement. The process to secure official authorization and build the required operations typically takes between six months and two years.

This option offers full operational independence, but comes with a significant administrative burden. The new banking department will demand more attention and resources than product innovation.

What you need

• Take full responsibility for safeguarding user funds, establishing strong governance, and securing digital operations.
• Hire specialized banking staff: KYC, suspicious activity analysts, regulatory oversight, and more. Executive profiles must reside in Spain.
• Your own banking processing systems that comply with international card data protection standards.
• Produce annual audits, activity reporting, and IT infrastructure maintenance disclosures for the regulator.

Buying an existing fintech service

Acquiring an already-operational financial structure from a validated EMI allows you to skip the initial bureaucratic path and gain direct access to fintech functionality. This route offers legal speed, but it forces you to adopt technology that was not initially built for your product.

What you need

• Audit technical requirements, legacy systems, oversight frameworks, and compliance processes to validate fit with your product.
• Adapt the acquired tool to your goals, a process that can take years of engineering work.
• ‍Align company cultures between your organization and the platform you bought, since teams will need to work closely together.

The Banking as a Service (BaaS) model and regulated agent obligations

Banking as a Service (BaaS) is a technology architecture that allows non-financial companies to embed banking tools via APIs. In this model, you become a regulated agent under the legal umbrella of a licensed financial institution, and you take on part of the obligations defined in the BaaS contract.

This format can be useful for some neobanks or companies with specific regulatory needs. But for platforms, it can risk limiting the user experience because you depend on the validation processes and technical architecture of an external provider.

What you need

‍• Register as a regulated agent with the Bank of Spain. This process takes around six months.

• Define how identity verification and regulatory monitoring responsibilities are split between your company and your BaaS partner. Fully delegating these functions often reduces agility and limits your ability to customize user onboarding.

• Align business growth with the commercial agreement with the BaaS provider, which can require multi-year commitments and therefore reduce flexibility.

• Build a fintech compliance team. Even if you use someone else’s EMI license, internal security protocols remain your responsibility.

Embedded banking and embedded finance solutions to delegate regulatory compliance

Embedded finance and embedded banking bring financial services into digital platforms outside the banking sector to create smooth user experiences. While the BaaS model shifts part of the responsibility to you as a regulated agent, in this kind of partnership compliance sits entirely with your provider. Collections and balances become native components of your product, avoiding external technical flows that interrupt navigation.

What you need

• Delegate regulatory monitoring and technical maintenance to an authorized EMI.
• ‍Coordinate your product roadmap with the partner so the financial infrastructure evolves at the pace of your innovations.

Advantages of a financial partner to externalize compliance

By choosing a strategic ally rather than a purely technical vendor, you can focus resources on product innovation. While a vendor delivers tools and steps back (or limits collaboration to a fixed scope), an embedded finance partner takes full regulatory and operational responsibility on an ongoing basis. This frees you from financial bureaucracy while preserving full control over your interface look and feel, and your brand identity.

Working with Swan: automated KYC and a European EMI license to scale

Swan is an authorized Electronic Money Institution (EMI) across Europe. As a partner, you can leverage that license to embed a financial hub with accounts, payments, and cards in your platform without applying for your own authorization or building an internal compliance and risk management team from scratch.

In practice, this means less administrative workload, lower recurring costs, and a faster launch, while you retain full control over the product experience and your brand.

More than 150 software companies already use our EMI license across Europe.

What you get with Swan

• Priority launch of financial services in weeks, not months, without lengthy administrative timelines with the Bank of Spain and banking authorities.
• ‍Stay focused on your core product while our external experts manage fraud controls and professional safeguarding of funds.
• Full brand and UI independence, with a native integration that preserves your identity across KYC onboarding and all subsequent operations.
• Relief from regulatory obligations by delegating IT maintenance and legal monitoring to an authorized EMI across Europe.
• More efficient user onboarding through automated digital verification (KYC) protocols that accelerate scalability while meeting the highest security standards.

When financial features are embedded into software platforms, compliance cannot be treated as an optional or secondary concern. With a partner that ensures compliance from day one, you can move faster without taking on regulatory risk.

By partnering with an embedded finance provider like Swan, your company can focus on its core value, its services, and the customer experience, without having to navigate strict fintech regulations. Compliance does not slow down launch or increase operating costs.‍