Personal
Business
Community
Company
Support
Open Account
Main page
Blog

Blackcat at Money20/20 Europe 2026: Fixing Correspondent SEPA Access for Financial Institutions

By
Emma Carter
05.06.2026
8 min
At Money20/20 Europe in Amsterdam, one question kept coming up at our stand: how does a regulated financial institution actually connect to the euro rails it depends on? It sounds simple. In practice, it is one of the hardest problems a new payments or crypto firm faces in Europe.
Here is what we showed at the event, why correspondent access has become a bottleneck, and how Blackcat — issued by Papaya Ltd. — approaches it.
Key takeaway. Most new financial institutions can get a licence and build a product, but still can't reach SEPA. Papaya Ltd. opens that access by onboarding the institution — not its end-users — so compliance sits where there's real visibility.
What we brought to Money20/20
Blackcat is, first, a retail fintech: one app with a EUR IBAN, multi-currency wallets, SEPA transfers, a payment card and an integrated crypto-to-EUR service. To build that, we assembled the underlying payments stack ourselves.
The launch we centred the stand around takes those same building blocks and offers them to other regulated institutions: a correspondent services product giving direct SEPA access through API integration, virtual IBAN issuance and embedded compliance screening.
Booth conversations split cleanly into two groups:
  • Those who knew what they needed — direct participation, instant euro payments, a clean API — and wanted to see how fast they could plug in.
  • Those who didn't know it was possible — firms that assumed reaching the rails meant building everything in-house or being turned away by a bank.The bottleneck: SEPA access for financial institutions
In Europe, sending and receiving euros instantly is the baseline expectation of any financial product. As Olegs put it at the show, the hard part isn't demand — it's reaching the rails. Suppliers are few, and banks are often unwilling to serve financial institutions, especially newly registered ones.
The European Central Bank only recently widened the door to direct participation, but going through it alone stays complex enough that most smaller firms can't realistically manage it.
The simplest version of the problem
Picture a small payment institution in an EU member state. Its only route to SEPA is through a credit institution — maybe just one candidate, with onboarding docs in a language the team doesn't speak and a process nobody internally has navigated. It goes looking for a partner. The banks say no. And it's left finding whoever else might help.
The same wall exists for institutions just outside the eurozone, or outside the EU entirely: a bank in a market whose central bank isn't yet ready to grant direct SEPA participation, or a regulated firm with no domestic path to the network. They have a licence and a product; what they lack is a euro on-ramp.
Why stretched BaaS broke
For years the closest available tool was Banking-as-a-Service. But BaaS was built for non-financial companies — retailers, marketplaces, SaaS platforms — to rent a host institution's licence and infrastructure. It was never meant for one financial institution to serve another.
Bend it into that shape and the provider becomes legally responsible for monitoring end-users it has never met, whose behaviour it can't observe, and whose risk it's reconstructing from second-hand data.
Regulators noticed and asked the obvious question: if these are your customers, where is your oversight? Across Europe, institutions running correspondent or BaaS programmes either restricted intake sharply or exited — not because demand vanished, but because the compliance architecture was unsustainable. Every new end-user a partner onboarded raised the provider's compliance burden, so growth itself became a liability.
There was also a quieter fear among prospective partners: data lock-in. If you hand your full customer file to a provider that treats those users as its own clients, what stops it from serving them directly one day? Justified or not, that worry has kept many institutions from committing.
Key takeaway. Legacy BaaS made the provider accountable for users it couldn't see. The fix isn't lighter regulation — it's putting accountability where the visibility actually is.
Our approach: vet the institution, not its users
Blackcat's answer, built on Papaya's infrastructure, returns to old-school correspondent logic. Instead of vetting millions of end-users, we onboard, perform due diligence on, and monitor the partner institution. Its end-users stay its clients, not ours — we don't collect a full onboarding file on them and don't treat them as customers.
That isn't flying blind. Through API integration we still receive the same identity and transaction data a BaaS provider would. The difference is how we use it:
  • As intelligence — it feeds our monitoring and risk-scoring layer.
  • Not as onboarding — it never creates a client relationship with the end-user.
So responsibility splits cleanly. The institution keeps full responsibility for its own clients and their ongoing due diligence. Ours concentrates where we have real visibility and control: the institution's licensing, governance, risk profile and transaction patterns. Because we never adopt its users as our clients, the data lock-in fear largely dissolves too.
article-hero-image.png
How we onboard a partner
Onboarding is a controlled process, not a handshake. We analyse the institution first, then run a structured assessment of whether its AML controls are equivalent to ours — a defined questionnaire that produces a score, not a subjective gut-check. Three outcomes follow:
  • Not equivalent — declined. If a firm doesn't identify customers, collect required data, or apply the controls we expect, we can't take it on.
  • Conditionally equivalent — mitigations required. We know exactly where the gaps are and ask for specific mitigating measures or an alternative process to close them.
  • Equivalent — cleared. Where 100% aligns, the residual differences are immaterial.
Monitoring continues after onboarding. When a partner starts registering customers, those flows pass through our screening. If something inconsistent surfaces, we go back to the partner and ask how it happened.
The point isn't to judge any single end-user as “good” or “bad.” It's to understand precisely what the institution is doing, so we can keep confirming it's the partner we onboarded. As Olegs stresses, this isn't about lighter rules: if anything, he expects more regulation ahead — the goal is to apply it in the right place.
Who it serves and where demand comes from
Because the test is licensing and AML equivalence rather than business category, the model isn't limited to payment institutions and EMIs. It can serve crypto exchanges, brokerages and other regulated entities — and where a partner is a crypto business, we help it meet travel-rule requirements too.
Demand reaches well beyond the eurozone. A recurring profile at the stand was firms registered outside the EU — including a notable cluster from Canada — that hold broad local licences for payments and crypto activity at home, but still need a euro on-ramp into Europe. They may not operate in Europe at all; they need access to euros that live there. That's exactly what a correspondent relationship is built for.
The throughline of every good conversation was the same: partners don't want to become payments-infrastructure experts. They want to stay focused on their own business and have the euro-rail layer simply handled. “One simple way to connect, not orchestrations,” as Olegs summarised it.
If you're mapping how this fits the wider European shift, our deeper pieces on how non-bank institutions are winning the payments race and the next chapter in open banking give useful context.
More on how we're solving SEPA access for financial institutions in two interviews with our CTO, Olegs Cernisevs: in Sifted and FinTech Magazine.
article-hero-image.png
Frequently asked questions
What did Blackcat present at Money20/20 Europe 2026?
A correspondent services product for regulated financial institutions: direct SEPA access via API integration, virtual IBAN issuance and embedded compliance screening — the same payments stack Blackcat built for its own app, opened to partners.
What's the difference between BaaS and a correspondent model?
BaaS lets non-financial companies rent a licensed institution's infrastructure, with the host owning the end-user relationship. A correspondent model keeps each financial institution responsible for its own clients; the provider onboards and monitors the institution itself.
Does Blackcat take on the partner's customers as its own clients?
No. They remain the partner's clients. Blackcat receives identity and transaction data via API and uses it for monitoring and risk-scoring, not to create a client relationship.
Who can use the correspondent service?
Regulated entities whose AML controls are assessed as equivalent — payment institutions, EMIs, crypto exchanges and brokerages. For crypto partners, Blackcat also helps meet travel-rule requirements.
How does Blackcat decide whether to onboard a partner?
A structured equivalence assessment producing a score. Fully equivalent partners clear; partners with gaps must provide specific mitigations; non-equivalent partners are declined. Monitoring continues after onboarding.
Can institutions outside the EU use this?
Yes. A common case is firms licensed outside the EU needing a euro on-ramp into Europe even if they don't operate there. The deciding factor is licensing and AML controls, not location.
Why is direct SEPA access so hard to get?
Few suppliers, banks reluctant to serve newer institutions, and — though the ECB recently widened direct participation — a process still too complex for most smaller firms to manage alone.
Share this article