Legichain for e-money and PSPs
Tiered KYC, real-time transaction screening and automated SAR/STR production — sized to the velocity of an EU authorised EMI or UK FCA-registered EMI operating under EMD2, PSD2 and the EMRs 2011.
An e-money institution lives at an awkward intersection: high transaction velocity, retail-grade onboarding pressure, and a regulator (FCA, BaFin, ACPR, AFM, depending on the jurisdiction) that expects bank-grade controls without bank-grade margins. Legichain consolidates the three controls that matter most for EMIs and payment service providers — tiered KYC at the onboarding flow, real-time transaction screening as money moves, and structured SAR/STR production for the supervisor — onto one API. The same engine covers UK FCA-authorised EMIs under the EMRs 2011, EU EMIs under EMD2 and PSD2, and Turkish 6493 EMIs and PSPs reporting under MASAK 5549 — so a multi-jurisdictional EMI does not need a separate compliance stack per market.
What slows an EMI's compliance programme down
Tiered KYC sized to friction tolerance
An EMI's onboarding funnel is brutally sensitive to friction. Even one extra step at sign-up costs 8-12% of conversion. But anti-fraud and AML obligations escalate at GBP 150, GBP 1,000 and GBP 5,000 monthly limits — meaning your KYC stack must be tiered, not one-size-fits-all.
Real-time transaction screening at scale
A UK authorised EMI with GBP 2B annual TPV processes 8-15 transactions per second at peak. Screening every transaction against sanctions, internal blacklists, scam pattern detection and velocity rules with under 80 ms added latency requires careful engineering — not an off-the-shelf vendor flow.
SAR / STR formatting overhead
The UK NCA's SAR Online portal, the German BaFin goAML system, the French TRACFIN portal and the Turkish MASAK STR format all have different schema. Hand-formatting a suspicious transaction report typically costs 4-6 analyst hours per case. Volume-leading EMIs file 30-80 SARs per month.
Safeguarding and FCA SMCR exposure
Authorised EMIs in the UK face safeguarding rules (segregation of relevant funds) and Senior Manager Conduct Rules personal accountability. Compliance failures in transaction monitoring or sanctions screening fall directly on the named Senior Manager. Documentation has to be defensible at individual-officer level.
How Legichain solves them
Tiered KYC API with progressive enhancement
Three tiers wired into the same API: Tier 0 is device-fingerprint plus screening on name and date of birth, suitable for sub-GBP 150 monthly limits. Tier 1 adds NFC chip authentication and ICAO 9303 document verification for daily-limit upgrades. Tier 2 adds live video for corporate customers or high-limit retail. The escalation logic is configurable; the same SDK serves all three tiers, so your engineering team integrates once.
Real-time transaction screening with sub-80 ms latency
Our transaction monitoring engine runs sanctions, internal watchlist, velocity, geography, structuring and scam-pattern checks in one synchronous call. P95 latency at 15 TPS sustained: 64 ms. Rules are configurable per product (card, top-up, FX, payout) and per customer tier. The decision (allow, hold, escalate, reject) is returned synchronously; the audit trail is logged asynchronously.
Automated SAR / STR production
Cases flagged by transaction monitoring open a structured workflow. The analyst dispositions the case in the panel; on filing, the system produces a SAR Online XML for the UK NCA, a goAML XML for German BaFin, a TRACFIN-format report for France or a MASAK STR for Turkey — automatically, in the right schema. Typical analyst time per case drops from 4-6 hours to 35-50 minutes.
Webhook orchestration with idempotency by default
Every state transition (KYC tier upgrade, transaction hold, SAR submission, sanctions rescreen hit) emits a signed webhook with idempotency keys, request IDs and HMAC signatures. Your platform never has to poll for state. Failures are retried with exponential backoff; the audit archive logs every delivery attempt for the Senior Manager file.
What you get out of the box
- Tier 0: device fingerprint plus light PEP and sanctions screen
- Tier 1: NFC plus liveness for daily-limit and volume upgrades
- Tier 2: live video for corporate or high-limit retail customers
- Same screening core powers card, top-up, FX and payout flows
- Real-time transaction monitoring with structuring and velocity rules
- Automated SAR / STR formatting for NCA, goAML, TRACFIN and MASAK
Regulatory coverage
Legichain is designed against the actual EMI and PSP regulatory surface in the markets our customers operate in. EMD2, PSD2 (and the in-progress PSD3 plus PSR package) sit alongside the UK EMRs 2011, FCA SMCR and (for Turkish operations) Law No. 6493 — all on one engine.
EMD2 (Dir. 2009/110/EC) and EMRs 2011 (UK)
Tiered KYC sized to safeguarded fund volumes, transaction monitoring on all e-money issuance, redemption and load flows, and audit retention sized to the FCA's expectation for authorised EMIs and small EMIs operating under the EMRs 2011.
PSD2 (Dir. EU 2015/2366), PSD3 and PSR (in process)
Strong Customer Authentication trigger logic, transaction monitoring for fraud and AML, and the documentation expected for PSP authorisation files. Our model and rule packs track the in-progress PSD3 and PSR amendments published by the European Commission.
AMLD5 / AMLD6 (Dir. EU 2018/843 and 2018/1673)
Enhanced due diligence triggers, beneficial-ownership lookup, predicate-offence tagging for SAR production and the criminal-liability documentation that EMD2 and PSD2 firms need under the AMLDs. STR / SAR output schema for major EU FIUs.
FCA SMCR and MLR 2017 (UK)
Documentation defensible at named Senior Manager level: every screening decision retains the analyst ID, the rule version, the list snapshot and the dispositioning timestamp. SAR Online XML produced directly from the case file. Pre-formatted ICAAP and SREP audit-archive exports.
Frequently asked questions
How does the tiered KYC API actually work end-to-end?
At sign-up your platform calls our customer-create endpoint with the customer's intended product (e-money, FX, cards) and risk profile. We respond with the appropriate tier requirement: typically Tier 0 (device fingerprint plus name and DoB screening) for low-risk consumer use. As the customer hits volume, geography or velocity triggers — all configurable — we return a tier-escalation event via webhook, and your platform invokes the NFC plus liveness SDK (Tier 1) or the video session (Tier 2). One SDK serves all three tiers; the upgrade flow is in-app, takes 60-120 seconds, and uses our cached device fingerprint to skip steps already completed.
Can our engineering team integrate this without a compliance specialist on the team?
Yes, for the integration phase. Our default rule packs ship pre-tuned for the major EMI and PSP regulatory surfaces (EMD2, UK EMRs 2011, MLR 2017, AMLD5 and AMLD6). Postman collection, OpenAPI spec, Python SDK and TypeScript SDK are available day one. The integration itself typically takes 2-4 weeks for a small engineering team. You will need a compliance specialist before going live to sign off on the rule thresholds and the documented risk-based approach — this is usually a 1-2 day engagement, not a permanent hire. Our compliance editorial team can introduce you to a fractional MLRO if you don't have one.
How does Legichain handle the PSD2 Strong Customer Authentication requirement?
SCA exemption logic is separate from KYC tiering but uses the same risk inputs. Our transaction-monitoring endpoint returns an SCA recommendation alongside the AML decision: required, exempt under the low-value exemption, exempt under the recurring-payment exemption, exempt under the trusted-beneficiary exemption, or exempt under transaction risk analysis (TRA). The TRA exemption requires a documented fraud-rate calculation; we produce that calculation automatically per quarter from your transaction data and surface it in the audit archive for your supervisor.
What does the SAR / STR automation actually produce, in formatting terms?
When an analyst dispositions a case as suspicious and clicks to file, the system produces a SAR Online XML conforming to the UK NCA's current schema, a goAML XML for German BaFin, a TRACFIN-format report for France, an AMLD-aligned report for the Dutch FIU-NL, or a MASAK STR for Turkey — based on the jurisdiction of the customer and your filing entity. The XML is human-validated before submission; the system does not file on your behalf. Typical end-to-end case time drops from 4-6 hours of manual formatting to 35-50 minutes of substantive analysis.
What is the typical implementation timeline for a UK authorised EMI?
From signed contract to first production traffic, typical UK EMI implementations run 6-10 weeks. Week 1-2: rule-pack configuration against your existing risk policy, with a workshop to tune thresholds to your firm's risk appetite. Week 3-5: SDK integration into your onboarding flow and transaction handler. Week 6-7: parallel run on shadow traffic; the legacy system continues to make the live decision, and we report what we would have decided differently. Week 8-10: progressive cutover starting at 5% and ramping to 100%, with a documented rollback at each step for the Senior Manager file.
Related reading
Pillar guide to digital KYC: NFC chip authentication, video verification, liveness detection and the operational design choices that affect conversion.
When live video makes sense for an EMI's higher-tier flows, how to design the operator workflow and the supervisor evidence pack.
Practical guide to MASAK 5549 obligations for Turkish-licensed PSPs and EMIs, including SAR formatting, reporting timelines and ongoing monitoring.
What the E-Money Directive 2 actually requires of EMIs across the EU, with practical implementation notes for compliance and product teams.
Be screen-ready in an afternoon.
Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.