Small Payment Institution (MIP)
The fastest path to legal payment services.
- MIP registration with KNF from A to Z
- Documentation and operational procedures
- Monitoring of the EUR 1.5 million limit
- MIP → KIP conversion plan
We navigate FinTech through an ocean of regulations. Safely.
Running a fintech or planning to launch? We help you handle all the regulations at once — PSD2, MiCA, AML, DORA and so on. While still understanding the business.
fintech brands we have worked with
what we specialise in
FinTech, LendTech, PayTech, Crypto. Whichever area you operate in — we will help you.
National Payment Institution (KIP)
Full payment licence with no volume limits.
- Licensing strategy and application to KNF
- Capital, safeguarding of funds, reporting
- Day-to-day compliance after authorisation
- Expansion and scaling of the model
MiCA / Crypto-assets
From asset classification to the CASP licence and post-authorisation compliance.
- Classification of tokens and crypto-asset services
- CASP authorisation application
- White paper documentation and AML integration
- Joining up with PSD2 and DORA requirements
Loans / BNPL
Readiness for CCD2 and KNF supervision in the lending model.
- Qualification of the BNPL / lending model
- Pre-contractual and contractual documentation
- Protection against the free credit sanction (SKD)
- Entry into the register of lending activity
AML — anti-money laundering
AML procedures tailored to the scale and risk profile of a fintech.
- CDD/EDD procedures and transaction monitoring
- Sanctions screening and STR reporting
- AML audits and readiness for AMLA inspections
- AML training for teams
DORA — digital resilience
Roll-out of IT resilience required from financial entities.
- ICT risk management
- Incident reporting procedures
- Digital resilience testing
- Oversight of technology providers
the four pillars of fintech regulation — and how to handle them together
Every fintech has to deal with four areas of regulation. We help assess what is urgent now and what to plan for the next stages.
PSD2 / UUP — payments
If you accept payments or provide accounts, you need to know which licence type fits you (MIP or KIP), how to secure transactions (SCA) and what happens when a customer reports an unauthorised operation.
MiCA / Crypto-assets
If you deal with tokens or cryptocurrencies, you need to determine how to classify your assets, whether you need a CASP licence (crypto-asset service provider) and which documents to prepare.
AML — anti-money laundering
Customer verification (KYC/CDD), sanctions list screening, monitoring of suspicious transactions and reporting them to GIIF — these are duties of every financial institution, fintechs included.
DORA — digital resilience
How do you manage IT risk? How do you respond to outages? Do you have control over your technology providers? DORA requires you to have concrete answers and procedures.
The most important thresholds and operational duties
- KIP (national payment institution): minimum capital of EUR 20,000–125,000, depending on the service model.
- MIP (small payment institution): a EUR 1,500,000 limit on average monthly volume and monitoring of the customer funds limit above EUR 2,000.
- AML: customer verification for high-risk relationships and transactions; the key transaction threshold is above EUR 10,000.
- MiCA: correct classification of the asset and the service determines the path of duties for a crypto-asset service provider.
- DORA: IT incidents and supplier risk must be managed on an ongoing basis, not as a one-off.
- Inconsistent rollout of PSD2 + AML + DORA + MiCA is the most common source of costly post-audit fixes.
why legal geek in fintech
0
years of Tomasz Klecor experience in FinTech
>
0
supervised institutions served by us
>
0
%
of all small payment institutions registered with our support
0
days
record time of MIP registration by our team
Legal status/material: 22 February 2026 (MiCA/AML/DORA update: 21 February 2026).
the most common mistakes in fintech — and how to avoid them
Three beliefs that regularly cost fintechs time and money. See if any of them applies to you.
Myth: „We have AML, so DORA does not apply to us”
Consequence: the organisation has good financial controls but does not close out IT risk management, resilience testing and oversight of technology providers.
What to do: combine financial controls with IT risk management in a single model — so that you do not discover gaps only at the audit.
Myth: „MIP is enough for every stage of growth”
Consequence: exceeding scale limits under business pressure and the risk of an emergency conversion to a full licence (KIP).
What to do: plan the transition from MIP to KIP (the full licence) 6–12 months before reaching the volume limits.
Myth: „The crypto and payments models can be implemented separately”
Consequence: double customer verification, inconsistent complaints procedures and a conflict of roles between payment and crypto regulations.
What to do: build a single map of services and obligations covering payments, crypto and AML at once.
What is the difference between MIP, KIP and CASP?
- MIP (small payment institution): faster start and lower entry threshold, but with scale limits and no full passporting.
- KIP (national payment institution): full licence for a wider payment model, with higher governance and capital requirements.
- CASP (crypto-asset service provider, MiCA): a regime for crypto-asset services; often requires integration with AML and elements of the payments model.
The most common gaps found in audits
- no single list of process owners spanning compliance, operations, security and IT,
- a mismatch between customer-facing terms and the actual customer journey in the product,
- insufficient evidence that controls have been performed at reporting and review time.
DORA/NIS2 ITSec guidelines for fintechs
Download a ready-made operational resource for compliance, security and IT teams. In one place you get checklists and recommendations to roll out.
- Over 1,250 guidelines organised into 26 categories.
- One logic for DORA and NIS2, no process duplication.
- Practical format: from governance to incidents and the supply chain.
- Material to work with for your team and to discuss with ICT outsourcers.
implementation plan: 11 steps to compliance
This is what the road from „I need to get this sorted” to „I have it under control” looks like. Each step ends with something concrete that stays with the organisation.
Stage 0 — diagnosis: which regulations apply to you
We establish which regulatory regimes apply to your business (PSD2, MiCA, AML, DORA) — we check what services you offer, how money flows and which countries you operate in.
The output is a qualification report: which regulations apply to your model and why.
Stage 1 — map of services and obligations
We tie your offering to specific legal and operational obligations — we break the offering down and check what duties apply to each service and each customer step.
The output is a service map with assigned regulatory obligations.
Stage 2 — licensing and authorisation
We design the right licensing path (MIP, KIP or CASP) — we analyse capital requirements, prepare the timeline of proceedings and assemble the documents.
The output is a licensing plan and a capital requirements analysis.
Stage 3 — who is accountable for what
We assign accountability for compliance across the whole organisation — we set who is responsible for what, who makes decisions and how information flows from the board down to IT.
The output is an accountability matrix and a decision-making chart.
Stage 4 — customer verification and AML
We build a customer verification process compliant with AML requirements — we design the path from registration, through risk assessment, to sanctions list screening.
The output is customer verification (KYC/CDD) and anti-money laundering procedures.
Stage 5 — IT security and business continuity
We secure business continuity and DORA compliance — we build an IT risk management model: how to classify incidents, how to test system resilience and what to do when something goes down.
The output is an IT resilience framework aligned with DORA.
Stage 6 — reporting and incidents
We roll out a coherent model of notifications and reports to the relevant authorities — we combine AML, DORA reporting paths and payment alerts into a single procedure with clear escalation thresholds.
The output is an incident response and authority reporting procedure.
Stage 7 — documentation and customer information
We secure the consistency of customer documents, contracts and regulatory information — we update terms, contracts and mandatory customer disclosures so they fit all the regulations.
The output is a package of customer-facing and regulatory documentation.
Stage 8 — testing and training
We check whether processes work in practice and whether the team knows its duties — we test processes, run simulation exercises and train the team on its specific obligations.
The output is a training plan and test documentation.
Stage 9 — inspection readiness
We shorten the response time to regulator queries and reduce inspection risk — we run a gap review, evidence test, remediation plan and assign owners.
The output is an audit readiness report.
Stage 10 — keeping compliance current
We keep compliance current as the business scales and regulations change — we monitor legal changes, run quarterly reviews and update processes so that compliance is not a one-off project.
The output is an ongoing compliance maintenance plan.
regulatory integration: one process map
The biggest operational advantage comes from a single process matrix. The same onboarding, monitoring and governance can satisfy PSD2/UUP, MiCA, AML and DORA at the same time.
Onboarding and identity
We combine strong customer authentication (SCA), customer due diligence (CDD/EDD) and risk rules so that steps are not duplicated and the registration flow stays smooth.
Monitoring and incidents
We build common alerting logic for fraud, AML and ICT/IT incidents, with clear escalation thresholds and accountability.
Suppliers and outsourcing
A consistent supplier assessment model (security, continuity, compliance) supports DORA, AML and payment-services obligations at the same time.
| Process | PSD2/UUP | MiCA | AML/AMLR/TFR | DORA | GDPR/NIS2 |
|---|---|---|---|---|---|
| Customer onboarding | SCA, information duties | CASP service qualification | Customer verification (CDD/EDD) | Access controls | Data minimisation |
| Transaction monitoring | Fraud and D+1 complaints | Asset and transfer monitoring | AML scenarios and STR reporting | ICT/IT event monitoring | Security by design |
| Incidents and reporting | Register of payment events | Issuer/CASP obligations | Reports to GIIF and escalation | Incident reporting (DORA) | Data and cyber breaches |
| Supplier management | Outsourcing of critical functions | Tokenisation services support | Partner screening | IT supplier risk | Supply chain security (NIS2) |
| Governance and training | Owners of payment processes | CASP/issuer roles | Compliance Officer and AML matrix | Security and risk role | Data protection and cyber awareness |
Business outcome
- One control map instead of several independent to-do lists to roll out.
- Less process duplication and lower compliance maintenance cost.
- Faster preparation of the organisation for audits and queries from authorities.
fintech support packages
Packages help you move from knowledge to implementation. Each one has a clearly defined outcome and scope.
FinTech Readiness Scan
For boards and founders planning to enter the market or change their operating model. You get a regulatory map, a list of key risks and an action plan for the first 90 days.
KIP/MIP licence
For organisations building or changing their licensing model. We run the licensing project on the substantive side, prepare the documentation and support communication with the supervisor.
SCA & RTS Gap Analysis
For entities looking to reduce dispute and fraud loss exposure. We review authentication paths, RTS exemptions and the evidence model.
Open Banking/API Compliance
For banks and institutions exposing APIs to third parties. We organise the API compliance framework, customer consent management and the remediation plan.
PSD2 + AML + DORA Integration
For firms running parallel compliance projects under tight resources. We combine them into a single process matrix, integrated policies and a coherent reporting model.
FinTech Compliance as a Service
For organisations needing ongoing support after launch — monitoring legal changes, updating documents and quarterly compliance reviews.
expert leading the fintech practice
We run projects on a business-and-regulation basis: first the decisions that affect product and risk, then documentation and operational rollout.
Support from the first decision
- Qualification of the model and choice of licensing path.
- Phased rollout and management priorities.
- Working with business, compliance and IT in one rhythm.
Podcasts | Legal Geek
- Experience with MIP/KIP rollouts and projects spanning several regulations.
- Combining PSD2 with AML, DORA and MiCA without duplicating processes.
- Support during audits and communication with supervisory authorities.
Contact about FinTech
Tomasz Klecor
Managing Partner
FinTech navigator. Lawyer.
For 15 years he has helped Poland's largest and most ambitious fintechs grow safely and globally. Starting as a lawyer, he now combines law, strategy, and technology — advising founders and boards on key decisions: how to scale in compliance with regulations, how to correctly implement DORA, MiCA, or AML and prepare for PSD3/PSR, and how to avoid the regulatory killers that can stop growth in its tracks.
LinkedIn
FinTech FAQ
The questions that come up most often when combining PSD2, MiCA, AML and DORA at the same time.
The starting point is qualifying the service and the flow of funds — we analyse how money reaches you from the customer and what happens to it. That determines whether you fall into the MIP (small payment institution) model, the KIP (national payment institution) model or another regime.
MIP (small payment institution) works well at the entry stage and for validating the model — faster start, lower requirements. KIP (national payment institution) is the right fit when you want to scale your service scope and volume. The key is to plan the transition in advance, not under the pressure of a limit.
You need a clear incident response procedure: a fast refund within the D+1 deadline (the next business day) and a parallel AML analysis track with a clear escalation model. One must not block the other — that is why we build them together from the start.
When you act as a financial entity or perform critical IT functions in the chain of a financial institution. DORA requires IT risk management, incident reporting and oversight of technology providers — regardless of whether you are a bank or a fintech.
It depends on the type of crypto-asset, the catalogue of services and how customers are served. Correct asset classification (whether it is a utility token, a stablecoin or another type) is the starting point — the entire path of obligations follows from it.
In practice yes — and it pays off. A joint rollout reduces process duplication (e.g. the same onboarding handles both PSD2 and AML), makes auditing easier and lowers the cost of maintaining compliance. Doing it separately means paying for the same thing several times.
AIS (account information access) and PIS (payment initiation) are separate services with their own obligations. Correctly assigning roles, managing API interfaces and a clear complaints model are critical — because liability is allocated differently than in classic payments.
We start with a shared map of processes and people responsible, then build a single matrix of control evidence for PSD2, MiCA, AML and DORA. The result: instead of four separate projects, you have one coherent system.
It directly applies to crypto transfers, but it also affects fintechs combining payment and crypto products. The Travel Rule changes the scope of data you must collect and forward — so if you plan to combine both worlds, it is worth taking it into account from the start.
get in touch about your fintech project
Write or call — in our first conversation we will work out where you are and what you need.