15 July 2026
The Wolfsberg Group ¦ Guidance on the Provision of Banking Services to non-bank Payment Service Providers (PSPs)
Managing financial crime risk in non-bank PSP relationships
Non-bank payment service providers have become central to modern payments. They offer faster, cheaper and more accessible ways to send money, pay merchants, issue cards and operate digital wallets. Their growth has expanded choice for consumers and businesses, but it has also created difficult financial crime risk-management questions for the financial institutions that provide them with accounts, payment access and settlement services.
The Wolfsberg Group’s guidance on non-bank PSPs sets out a practical framework for financial institutions seeking to manage these relationships within their risk appetite. It builds on established correspondent banking principles, the Wolfsberg Payment Transparency Standards, and changes to FATF Recommendation 16 that strengthen information requirements for cross-border wire transfers.
The central message is clear: a non-bank PSP relationship cannot be assessed merely by looking at the legal entity opening the account. Financial institutions must understand the PSP’s underlying activity, customers, payment flows, intermediaries and control environment.
A broad and varied sector
The term non-bank PSP covers a wide range of businesses that facilitate transfers of funds without operating under a banking licence. This can include money remitters, electronic money institutions, merchant acquirers, third-party payment processors, fintechs and wallet providers. Their activities may range from business payments and foreign exchange services to consumer remittances, card issuing, e-commerce settlement and cash withdrawals.
These businesses should not be treated as a single risk category. A domestic PSP that processes salary payments for established corporate clients presents a very different profile from a cross-border remittance provider using cash agents, third-party wallet partners and bulk settlement accounts. Similarly, a merchant acquirer serving established domestic retailers may have materially different risks from one supporting online merchants across several countries.
Risk depends on the actual products offered, the countries involved, how customers are onboarded, how funds enter and leave the system, and how much transparency is retained throughout the payment chain.
Intermediation can reduce payment visibility
Non-bank PSPs commonly depend on banks and other financial institutions for accounts and access to payment market infrastructure. A PSP may collect funds from many customers, combine them into a single payment, send that payment across borders, and then instruct a local partner to distribute the funds to multiple recipients.
This arrangement can make payments efficient, but it may leave the supporting financial institution with only a partial view of the underlying activity. The institution may see a large transfer between two PSP or bank accounts while having limited information about the individual originators, beneficiaries, purposes or goods and services involved.
That loss of visibility is particularly significant in bundled, netted and bulk payment arrangements. The risk varies depending on the flow. A one-to-many salary payment may generally be easier to understand and control than a many-to-one merchant collection model or a many-to-many remittance structure involving numerous originators and beneficiaries.
Where aggregation obscures the underlying transactions, the financial institution becomes more dependent on the non-bank PSP’s customer due diligence, sanctions screening, transaction monitoring, fraud prevention and escalation processes.
Payment transparency remains fundamental
Payment transparency is a core requirement of the Wolfsberg framework. The originating PSP has primary responsibility for ensuring that payment instructions include complete and accurate originator and beneficiary information. Intermediary PSPs also have an important role in preserving this information, transmitting it without inappropriate alteration and addressing incomplete data in accordance with applicable law.
The June 2025 FATF updates to Recommendation 16 reinforce the expectation that cross-border wire transfers contain complete originator and beneficiary information. For institutions supporting non-bank PSPs, this means assessing more than whether the PSP has a policy addressing payment transparency. They should understand how the policy works in practice across each payment rail, payment corridor and business model.
This is especially important where payments involve cards, wallets, local clearing systems, international wires or multiple intermediaries. A card-funded payment collected in one country may ultimately be bundled into a cross-border transfer and disbursed through a domestic payment system elsewhere. The information available at each stage may differ considerably.
Financial institutions should therefore understand which party collects payment data, how that data is validated, whether information is retained through aggregation and disaggregation, and how missing or incomplete information is detected and handled.
Understanding payment flows is not optional
The guidance distinguishes between proprietary, third-party and bundled payment flows. This distinction is essential because labels used by a PSP can be misleading.
A proprietary payment, such as an operational expense or a principal-to-principal transfer, may appear lower risk because it is made on the PSP’s own behalf. However, institutions should carefully examine payments described as liquidity management. A PSP may move funds in anticipation of customer disbursements, meaning that a supposedly proprietary flow may in fact support payments to third parties.
Third-party flows require a deeper understanding of the PSP’s customer population and the activities being facilitated. Where a financial institution processes non-proprietary activity, its exposure can resemble correspondent banking exposure. It may be indirectly exposed to the financial crime risks posed by the PSP’s merchants, remittance customers, agents, partner PSPs or downstream institutions.
Nesting creates a further challenge. A global PSP may provide payment services to local PSPs or smaller financial institutions, which in turn serve their own customers. The supporting institution may have a direct relationship with the global PSP but no direct relationship with, or visibility over, the nested entities and their underlying customers. This makes robust downstream due diligence, contractual obligations and ongoing oversight particularly important.
Key risk areas: sanctions, money laundering and fraud
The reduction in end-to-end visibility can increase sanctions risk. A financial institution may not be able to identify all parties connected with an underlying payment or assess whether goods, services or funds have a link to a sanctioned person, territory or prohibited activity. The risk can be higher where payments are aggregated, cross-border, involve complex partner networks or are routed through jurisdictions with weaker regulatory oversight.
Money laundering risk is also heightened where the institution cannot see the true origin, purpose or ultimate destination of funds. Criminals may misuse payment platforms to layer funds, move value rapidly across borders, disguise illicit proceeds as commercial transactions, or exploit wallets and prepaid instruments for rapid transfers.
Fraud is equally significant. Non-bank PSPs may not always have the long-term customer relationships and behavioural data available to traditional banks. They may face high volumes of rapid onboarding, digital identity fraud, account takeover, scam payments, merchant fraud, card fraud and fraudulent documentation. Fragmented arrangements involving several PSPs can also delay detection, investigation and recovery.
The appropriate response is not to assume that all non-bank PSPs are unacceptable customers. It is to identify the particular exposure and determine whether it can be managed effectively.
Due diligence must reflect the actual business model
Enhanced due diligence should be tailored to the PSP and the services being supported. Standard questionnaires may provide a starting point, but they are unlikely to be sufficient on their own for complex or high-risk relationships.
Financial institutions should understand whether the PSP provides business remittances, consumer remittances, merchant acquiring, wallet services, foreign exchange, card products or a combination of these. They should identify all funding methods, including bank transfers, cards, cash, money orders, prepaid products and transfers from other wallets. Funding sources that are anonymous or difficult to trace require careful consideration.
Geographic exposure also matters. Cross-border flows generally carry greater risk than domestic payments due to differing regulatory standards, sanctions exposure, fraud patterns and limitations in payment information. Institutions should assess the jurisdictions where the PSP is incorporated, licensed, operated and supervised, as well as the countries involved in payment corridors and underlying customer activity.
The review should also cover non-resident customers, agents, distributors, outsourcing arrangements, technology partners and other PSPs in the payment chain. Where partners perform onboarding, KYC, sanctions screening or transaction monitoring, the allocation of responsibility must be clear and supported by evidence that the arrangement works in practice.
Licensing alone is not enough
A PSP’s licensing or registration status is an important part of due diligence, but it is not a complete risk assessment. Financial institutions should establish whether the PSP holds the permissions required for its actual activities, including any local licensing requirements, passporting arrangements and regulatory registrations.
The key question is whether the authorisation is aligned with the business model being supported. A PSP may be properly licensed in its home jurisdiction while offering services into other countries that create additional legal, regulatory or financial crime risk. The institution should understand the scope of the licence, the quality of supervisory oversight and any enforcement, remediation or regulatory concerns.
Where a PSP operates through agents, affiliates or local partners, the institution should also understand whether those entities require licences or registrations and whether the PSP maintains adequate oversight of them.
Assessing the control environment
A thorough assessment of financial crime controls should examine both policy design and operational effectiveness. The quality and experience of senior compliance staff, including the MLRO and compliance leadership, are relevant, as are staffing levels, governance arrangements, escalation channels and management oversight.
Customer due diligence should cover identity verification, beneficial ownership, customer risk ratings, high-risk customer processes and periodic reviews. Institutions should consider whether enhanced due diligence is meaningfully tailored to risk or simply applied as a formality.
Sanctions controls require close attention. The review should consider the sanctions lists used, screening technology, matching methods, treatment of free-text fields, real-time capabilities, alert handling and escalation. It should also consider whether the PSP screens connected parties and addresses indirect sanctions exposure, including the origin and destination of goods where relevant.
Transaction monitoring should be assessed for its coverage, scenarios, timing, alert volumes, backlog management, investigation quality and suspicious activity reporting process. Manual monitoring may be appropriate for a small and simple business, but it may become inadequate as payment volumes, geographic reach or product complexity increase.
Financial institutions should also understand how the PSP uses machine learning or artificial intelligence in fraud, sanctions or AML processes. The use of technology does not remove the need for governance. Institutions should seek comfort that relevant systems are explainable, independently assessed, properly overseen and supported by people with sufficient expertise.
Ongoing review is essential
Non-bank PSPs can change rapidly. They may launch new products, enter new markets, add payment corridors, introduce new funding methods, acquire other businesses or establish partnerships that materially alter the risk profile of the relationship.
For this reason, due diligence cannot be treated as a one-time onboarding exercise. Ongoing reviews should be driven by risk and triggered by material changes, including adverse media, ownership changes, regulatory action, financial crime incidents, licensing issues, unexplained activity shifts or the emergence of new intermediaries.
Account activity reviews are particularly valuable. These are distinct from ordinary transaction monitoring. Their purpose is to identify broader changes in the relationship, such as rising volumes, unexpected cross-border activity, new payment corridors, reduced payment transparency, potential nesting, unusual concentration in particular sectors or an increasing link to high-risk jurisdictions.
These findings should feed into periodic enhanced due diligence and decisions about whether the relationship remains within risk appetite.
A balanced approach to financial inclusion and control
Non-bank PSPs play an important role in making payments more accessible and efficient. They can support remittances, e-commerce, small businesses and customers who may otherwise have limited access to traditional financial services. A blanket refusal to serve the sector can push payment activity toward less transparent channels.
At the same time, financial institutions have substantial responsibilities as participants in the payment system. They must not allow commercial opportunity, rapid growth or reliance on technology to obscure the risks created by complex payment flows and limited information.
The Wolfsberg guidance supports a balanced approach. Financial institutions should assess each non-bank PSP relationship according to the specific activity, transparency, geography, customer base and control framework involved. Where risk can be understood, mitigated and monitored, the relationship may be viable. Where the institution cannot obtain sufficient comfort, particularly in the presence of opaque third-party or nested payment flows, it should restrict services, require remediation or decline or exit the relationship.
Effective risk management in this sector depends on asking the right questions before onboarding, maintaining meaningful oversight throughout the relationship, and ensuring that payment speed and innovation do not come at the expense of transparency, sanctions compliance, AML controls and fraud prevention.