The development of blockchain technology is outpacing the pace of regulatory change. This legal gap caused by rapid development often leads Web3 startups (e.g., those developing crypto wallets, payment gateways or DeFi applications) to believe that the legal framework of the “traditional” financial market does not apply to them. After all, if they do not operate with fiat currencies, payment services regulations should not concern them.
This assumption, however, is incorrect. Regulations, particularly at the EU level, are aimed not at the technology itself, but at the function a given solution performs. If a DeFi application functions in the same way as a classic payment institution, it may be treated as one.
From the perspective of payment services regulation, the key question is whether the user of a given solution can store funds (including scriptural money and electronic money) and dispose of them, in particular by initiating transfers, ordering payments, or making withdrawals.
In such a case, the activity may be classified as the provision of payment services, which in practice may mean the need to meet a range of obligations, including obtaining the appropriate regulatory status, complying with the requirements of the Payment Services Directive 2 (PSD2) and, depending on the business model, being entered in a register maintained by the competent regulator (in Poland: the KNF) or obtaining the relevant authorization.
Where Does Innovation End and Regulation Begin?
PSD2 defines payment services by reference to their function. PSD2 defines payment services by their function. In other words, it does not matter whether a transfer is executed by a bank, a fintech, or a smart contract – if the outcome is the same, the legal obligations may be similar (although the addressee of those obligations is always the entity that makes the service available and organizes it).
Under PSD2, payment services include, among others, services related to a payment account and the execution of payment transactions, as well as payment initiation services and account information services.
For regulatory assessment, it may be irrelevant that you are transferring assets other than Polish zloty, as long as “funds” within the meaning of PSD2 are involved – this includes tokens classified as electronic money tokens (EMT). While transfers of “typical” crypto-assets (e.g., BTC, ETH, utility tokens) are generally not transfers of funds within the meaning of PSD2, the situation may be different, among others, in the case of EMTs. If a user stores such funds and can transfer them, the service may be considered a payment service.
When Does a Crypto Wallet “Cross the Line”?
Not every crypto wallet provider automatically becomes a payment institution. What matters is how funds are managed and what kinds of assets are being stored.
A crypto wallet provider will not be a payment institution if the user has full and exclusive control over their private key and the application serves solely as an interface. The problem begins when the wallet enables, among other things, the storage of EMTs or the execution of transfers between accounts. In such cases, the risk that the activity will be deemed a payment service increases. The same applies to projects that execute withdrawals of funds or offer functions resembling classic online banking.
Independently of PSD2, a custodial model often triggers a parallel MiCA regime (e.g., the service of safeguarding and administering crypto-assets on behalf of clients) as well as AML requirements
Examples of situations increasing regulatory risk:
- the wallet provider has access to the user’s private keys
- the application enables the user to transfer assets from one address to another (in particular where the transferred asset constitutes “funds” within the meaning of PSD2)
- the user can deposit or withdraw funds in fiat currencies
- the wallet integrates with payment card systems.
How to Operate Safely?
The most important factor is conscious architectural design. Even if the wallet itself does not store funds, certain functionalities may bring it closer to the regulated space
When starting work on a project, it is advisable to:
- thoroughly analyze the functionality map in terms of PSD2
- determine who controls access to the user’s funds
- ensure compliance with MiCA and AML requirements
- if in doubt, consult a financial regulatory expert
- prepare for a potential licensing application or partnership with a regulated entity.
What Is Worth Knowing About Licences?
At EU and national level, the law provides for different licensing regimes whose applicability depends on the scope and scale of the activity.
A small payment institution (SPI) is a simplified regulatory form, but it is subject to transaction volume limits. In Poland, an SPI operates as a registered entity entered in the KNF register and is subject to statutory caps, including a limit on the average monthly value of transactions.
A national payment institution (NPI) is a full PSD2 license, appropriate for more developed projects. It is a payment institution that may provide payment services to the full extent, and it is subject to stringent corporate governance, capital, and operational requirements.
Obtaining the appropriate license involves specific organizational, capital, and operational requirements, but it also opens the path to scaling the business, integrating with payment infrastructure, and cooperating with regulated entities
Summary
Today, the boundary between blockchain technology and the regulated financial market is not drawn in code, but in the function a given solution performs for the user. Whether a project uses smart contracts or banking infrastructure is of secondary importance to the regulator. The key issues are who controls the funds, who can dispose of them, and whether the solution in practice begins to act as an account or a payment instrument.
For Web3 projects, this means thinking about regulation already at the architecture design stage. Decisions on custody, the way balances are presented, integration with fiat, or withdrawal mechanisms have a direct impact on the legal classification of the entire solution. In many cases, it is not the creators’ intent, but the functional effect that determines whether a project falls under PSD2 or other financial regulations. It is also worth remembering that the regulatory environment for payment services is dynamic (work is underway on reforming the PSD2 framework at EU level), which increases the importance of continuously monitoring changes.
A conscious approach to these issues does not limit innovation; it helps secure and scale it. Projects that understand their regulatory risks gain an advantage – both in relations with partners and in interactions with supervisory authorities. In the Web3 world, legal compliance is increasingly less of an add-on and increasingly a component of technology strategy.