Electronic money institutions (EMIs) operate within a regulatory framework that — relative to traditional banking — permits lighter KYC for low-balance digital wallets but mandates video KYC when transaction thresholds are exceeded. This tiered design is consistent across EMD2 in the EU, the EBA Remote Onboarding Guidelines, and Turkey's BDDK framework. This article walks through tier-based KYC design, the triggers that escalate to video sessions, and the audit requirements that EMIs need to satisfy under each regulatory regime.
The EMI KYC Framework
EMIs sit at the intersection of multiple regulatory layers. In the EU:
- EMD2 (Electronic Money Directive 2) — sets the institutional framework for EMI authorization and operation.
- AMLD — applies customer due diligence obligations.
- EBA Remote Customer Onboarding Guidelines (October 2023) — clarifies technology expectations for remote onboarding.
- GDPR — biometric data is special-category personal data.
In the UK, EMIs are authorized under the Electronic Money Regulations 2011, supervised by the FCA, and subject to MLR 2017 for AML obligations. See our UK EMI FCA authorization roadmap.
In Turkey, EMIs operate under BDDK supervision within the Remote Customer Onboarding Regulation framework, plus MASAK obligations under Law No. 5549.
Tier-Based KYC Design
EMIs almost universally adopt tiered KYC. Asking every prospective customer to complete full document verification before they can use the product kills conversion. The tiered pattern:
Tier 0: Instant Wallet
- Phone number + OTP
- Email + OTP
- Basic profile (name, optional address)
- Wallet created; customer can browse but cannot transact meaningfully
This tier doesn't satisfy regulatory KYC — it's a product onboarding step. Limits are zero or near-zero (view-only access plus very small balance).
Tier 1: Light KYC
- ID number verification (where local data sources support — e.g. Turkey TCKK match against MERNIS, UK Companies House cross-checks for sole traders, certain EU national ID databases)
- Selfie + passive liveness
- Baseline biometric for future re-verification
Unlocks small daily transaction limits (typical: EUR 100-200 in the EU; lower in some jurisdictions). Fully automated, no operator involvement.
Tier 2: NFC + Full Verification
- Chip ID reading via NFC (passport, EU national ID, TCKK) with ICAO 9303 PKD signature validation
- Active liveness detection
- 1:1 chip photo ↔ live selfie matching
- AML screening (sanctions, PEP, adverse media)
Unlocks moderate limits (typical: EUR 1,000-5,000 daily, depending on jurisdiction and institutional risk appetite). NFC implementation detail in our NFC ID verification guide.
Tier 3: Video Session + Higher Limits
- Operator video ID session (3-5 minutes)
- Source of funds / income declaration
- Address verification (utility bill or equivalent)
- Detailed risk profile
Unlocks high limits (typical: above EUR 5,000-10,000 daily) and feature unlocks like card issuance, bulk transfers, or crypto bridges. The operator workflow follows the standard video ID design — see our video KYC and SPK compliance article for the operator workflow architecture.
When Is Video KYC Required?
Across the EU, UK, and Turkey, video KYC for EMIs triggers under one or more of these conditions:
- Monthly or daily transaction volume threshold exceeded — typically EUR 5,000-15,000 depending on jurisdiction and institutional risk policy.
- Single high-value transaction requested — particularly outgoing transfers.
- Risk score elevated — PEP, high-risk jurisdiction, anomalous transaction pattern.
- Time-based escalation — some institutions move customers to Tier 3 within 90 days as standard practice.
- Anomalous behavior detected — new device, new IP, unusual transaction pattern.
UX recommendation: frame the escalation positively. "Raise your limit with a 5-minute video session" converts substantially better than "Your account is restricted."
Operator Workflow
The video session architecture for EMIs is generally lighter than full banking KYC — the product is narrower, the risk profile inquiry is shorter. A typical session:
- Pre-session technical summary — operator console shows NFC outcome, biometric score, liveness score, AML screening hits.
- Customer joins session — camera + microphone check.
- Operator greeting + identity confirmation (1-2 minutes) — hold document to camera; confirm name, date of birth.
- Risk profile questions (1-2 minutes) — source of funds, intended use.
- Approval + limit increase — system auto-activates; customer notification sent.
Typical session duration: 4-6 minutes. Peak-hour queue waits: 3-8 minutes.
Audit and Retention
Cross-regulator EMI inspection generally examines:
- Tier transition logs — which customer reached which tier, when, via which verification steps.
- Video session recordings — retention typically 5 years post-termination (EU) or 10 years (Turkey).
- Limit threshold trigger records — which transaction crossed which threshold, system response.
- AML screening outcomes and operator dispositions — sanctions/PEP/adverse media hits and operator decisions.
- Customer risk score evolution — starting score, periodic recalibration, triggering events.
GDPR / KVKK compliance for biometric data (explicit consent, restricted access) is examined separately and must be embedded in the architecture from day one.
Operational Numbers
Anonymized aggregate metrics from a typical European EMI:
- Tier 0 → Tier 1 conversion: 78-85% (new users typically clear basic verification quickly).
- Tier 1 → Tier 2 conversion: 42-55% (NFC step is the typical friction point).
- Tier 2 → Tier 3 conversion: 18-28% (only customers actively requesting higher limits progress).
- Monthly active users at Tier 3: ~15-22% (most users stay at Tier 2 for low-balance use).
- Video session SLA: afternoon average 4-6 minute queue; peak hours 10+ minutes.
Common EMI-Specific Pitfalls
Pitfall 1: Inappropriate tier threshold calibration. Default thresholds (e.g. EUR 5,000) without product-specific calibration either overload the operator queue (too low) or expose the institution to AML risk (too high).
Pitfall 2: Manual approval for every tier transition. "Have a human review every Tier 2-to-3 jump" doesn't scale. Automate what's automatable; reserve operators for genuine edge cases.
Pitfall 3: Operator console missing pre-session summary. Operator enters the session blind to the technical verification outcome — session takes longer and operator can't ask targeted questions.
Pitfall 4: No tier downgrade mechanism. If a customer is dormant for 12+ months, should their tier downgrade or require re-verification? Anomalous behavior — temporary freeze or tier downgrade? These decisions need automated, logged rules.
Pitfall 5: One-time KYC mindset. AMLD and equivalent require ongoing CDD — behavior change should trigger re-verification or risk score recalibration.
Frequently Asked Questions
Can EMIs apply lighter KYC than banks?
Within the regulatory framework, EMIs can apply tiered, risk-based KYC where the lowest tiers serve low-balance digital wallets without the full document-verification stack. This flexibility is conditional on transaction volume and balance thresholds — once exceeded, full KYC plus video session becomes mandatory. The "EMI lighter" treatment is for the low-risk segment only, not a general license to do less.
How are tier thresholds set across EU member states?
EMD2 and AMLD provide the framework; member state regulators set or interpret specific thresholds. In practice, low-balance wallet thresholds for simplified due diligence are typically EUR 150-250 for stored value (Article 12 of AMLD provides parameters), though specific limits vary. For higher tiers, institutions set thresholds within their own risk appetite, subject to regulator review.
How should video session escalation be proactively presented to customers?
The typical triggers: (1) the customer is approaching a tier limit — "you've spent EUR 4,200 of your EUR 5,000 monthly limit; raise it with a 5-minute session," (2) a single transaction attempt above the current limit — blocked, with a session offered as the unblocking path. Positive framing ("upgrade your limit") versus negative framing ("your account is restricted") materially improves conversion.
Can outsourced call center operators conduct EMI video sessions?
Generally regulators expect "employed by or under direct control of the institution." Fully-outsourced models face heightened scrutiny. Most EMIs keep operators in-house even as they outsource the underlying technical platform (WebRTC, NFC SDK, recording storage).
How serious is the multi-account problem for EMIs?
Less critical than for crypto exchanges, but real. A typical pattern: a user opens multiple accounts to capture sign-up bonuses or to evade limits. 1:N face matching and device/IP fingerprinting reduce these attacks. 1:N matching should be mandatory for Tier 2+ at minimum.
How Legichain helps
EMIs designing tier-based KYC face the challenge of orchestrating multiple components — instant signup, automated Tier 1-2, escalated Tier 3 with video session, ongoing monitoring, AML screening — under EMD2, EBA, BDDK, and MASAK simultaneously. Legichain Digital KYC consolidates these layers into a single API + SDK; tier thresholds configure to the institution's risk policy, automatic triggers (limit approach, anomalous behavior) escalate proactively to Tier 3. Legichain Video KYC provides the operator console with pre-session technical summary, queue management, and decision logging. AML screening, GDPR/KVKK-compliant biometric retention, 10-year hash-chain archiving, and EBA/BDDK inspection-ready reporting are all built in. EMI-specific configurations available via e-money solutions. Typical European or Turkish EMIs deploy in 6-8 weeks.