← All industries
Fintech EMEA · UK · EU · GCC · PSPs · EMIs · CASPs

Pass the supervisor.
Earn the licence.

Penetration testing and adversary simulation for EMEA fintechs, payment institutions, EMIs and CASPs. PSD2 RTS on SCA and secure communication, the PSD3 / PSR transition, EU GDPR and the EDPB PSD2-interplay guidance, DORA threat-led penetration testing against the TIBER-EU framework, and FCA / BaFin / DNB / CSSF / Banque de France supervisory expectations.

Pain points EMEA fintech CISOs raise on the scoping call

PSD2 SCA implementation drift

Dynamic-linking implementations that break on certain payment flows, transaction-risk-analysis exemption tracking that the auditor can't reconcile, factor-strength regressions from passkey or push-notification rollouts. The RTS allows little room for clever shortcuts.

DORA TLPT obligation looming

Article 26 TLPT every three years for significant entities, in-flight from 2025. White-Team setup, TI / RT provider selection, central-bank facilitation, and the live red-team window against production all need 4–8 months of lead time.

GDPR breach notification at 72 hours

Detection-to-DPA notification in 72 hours requires the same monitoring, classification and templating discipline as the six-hour CERT-In window in India. Most fintechs do not yet have the playbook tested against a realistic scenario.

XS2A interface stability and security

PSD2 dedicated interfaces (XS2A) for AIS / PIS / CBPII access — OAuth2 redirect / decoupled / embedded modes, eIDAS QWAC and QSealC certificate handling, consent-management edge cases, fall-back interface monitoring. Supervisor and TPP complaints both land here.

Multi-jurisdiction supervisory mapping

A UK-headquartered EMI passporting into EU member states post-Brexit, a German neobank with a UK branch, a Lithuanian EMI with operations across the Nordics — each combination triggers a different mix of FCA, BaFin, DNB, Bank of Lithuania, ECB and EBA expectations.

Operational resilience expectations

FCA PS21/3 + PRA SS1/21 in the UK, DORA Articles 11–14 in the EU. Important business services identification, impact tolerance setting, severe-but-plausible scenario testing, and the supervisor's lessons-learned expectations.

Compliance frameworks the engagement maps to

PSD2 (Directive (EU) 2015/2366) + SCA-RTS (Reg. 2018/389)

link ↗

Strong Customer Authentication (two of knowledge / possession / inherence), dynamic linking of the authentication code to amount and payee (Art. 5), transaction-risk-analysis exemptions with monitoring obligations, common and secure open standards of communication, the dedicated XS2A interface for AIS / PIS / CBPII, eIDAS QWAC and QSealC certificate handling.

PSD3 + Payment Services Regulation (PSR) — Commission proposals 2023

link ↗

Tightens SCA, expands and clarifies open-banking access permissions and API-quality requirements, centralises core rules in a directly applicable EU regulation (PSR), and revises the licensing regime for payment institutions. Expected to apply 18 months after final adoption.

DORA (Regulation (EU) 2022/2554) + RTS / ITS

link ↗

Applies from 17 January 2025. ICT risk management (Articles 5–14), incident reporting (Articles 17–23), digital operational resilience testing (Articles 24–27, including threat-led penetration testing aligned to TIBER-EU under Article 26), third-party ICT risk (Articles 28–44), oversight of critical ICT providers (Articles 31–44).

TIBER-EU framework

link ↗

European Central Bank framework for threat-intelligence-based ethical red-teaming. Generic Threat Landscape, entity-specific Threat Intelligence by an independent TI provider, intelligence-led Red Team by an independent RT provider, with central-bank facilitation through the TIBER-EU Cyber Team. The reference framework for DORA Article 26 TLPT.

EU GDPR + EDPB PSD2-interplay guidance

link ↗

Articles 5, 25, 32, 33, 35 of GDPR for security of processing, design and default privacy, breach notification at 72 hours, DPIA where required. EDPB Guidelines 06/2020 on the interplay between PSD2 and GDPR for the AIS / PIS consent boundary, silent-party minimisation and legal-basis selection.

MiCAR (Regulation (EU) 2023/1114) for CASPs

link ↗

Markets in Crypto-Assets Regulation. Harmonised authorisation for crypto-asset service providers and issuers of asset-referenced tokens and electronic-money tokens. ESMA RTS and EBA guidelines detail ICT, custody, market-abuse, and governance expectations. DORA is the operative ICT-risk framework for in-scope CASPs.

Sample attack scenarios exercised

Three scenarios commonly run for an EMEA fintech. Each maps to public-record incident archetypes against EU and UK payment institutions.

Scenario 1 — SCA dynamic-linking bypass on push-notification flow
Authenticated test of a payment-initiation flow using the mobile-app push-notification SCA factor. Validates whether the authentication code is genuinely cryptographically bound to amount and payee per Art. 5 of the SCA-RTS, or whether a manipulated payee or amount in the back-end can be approved by a code generated for a different transaction. Tests the dynamic-linking implementation at the protocol level, not the UI level — a finding class that has cost EMEA PSPs both supervisory censure and chargeback liability in the public record.
Scenario 2 — XS2A consent abuse for cross-customer AIS retrieval
Test against the dedicated XS2A interface as a registered AIS provider with an eIDAS QWAC. Manipulation of consent identifiers, account identifiers and PSU-ID headers across the OAuth2 redirect and decoupled flows. Validates that consent-scope enforcement, PSU-ID binding and silent-party minimisation prevent retrieval of account data outside the granted consent. The dominant finding class against open-banking interfaces from 2019 onward.
Scenario 3 — TIBER-EU-aligned threat-led red-team window
Intelligence-led red team modelled on the prevailing threat-actor TTPs for EMEA payment institutions (FIN7, Cobalt Group, Carbanak successors, Lazarus financial sub-groups, ransomware-as-a-service affiliates). Initial access vectors mirror real TTPs — supply-chain compromise via a development vendor, OAuth phishing against finance and operations staff, watering-hole against industry events. Objectives map to TIBER-EU flag actions: payment-system impact, customer-data exfiltration, treasury impact. Run with central-bank facilitation for full DORA Article 26 TLPT credit.

Case study

Redacted reference — available under NDA

EMI passporting across multiple EU member states, UK branch, GBP / EUR card-issuance programme. Twelve-week engagement covering the customer mobile app, core ledger, card-issuance integration, XS2A AIS / PIS interfaces, treasury and back-office. Mapped to PSD2 RTS, EU GDPR + EDPB 06/2020, DORA ICT-risk Articles 5–14, FCA PS21/3 operational-resilience and PCI DSS v4.0.1 for the card programme.

Outcome: Two High-rated SCA dynamic-linking findings closed before the FCA s.166 deadline, XS2A consent-binding gap remediated and re-tested, GDPR 72-hour breach playbook validated through a tabletop, DORA TLPT scoping document and TI / RT provider shortlist delivered for the entity's first three-year TLPT cycle.

Full redacted report and reference call available under mutual NDA. Request via the scoping form →

Related work

Services
Reading
Sibling industries

Frequently asked questions

What does PSD2 actually require from a pentest perspective, and what changes under PSD3?+

PSD2 (Directive (EU) 2015/2366) and its supporting Regulatory Technical Standards on Strong Customer Authentication and common and secure open standards of communication (Commission Delegated Regulation (EU) 2018/389) impose specific technical requirements: SCA with at least two of knowledge / possession / inherence, dynamic linking of authentication code to amount and payee for payment transactions (Art. 5 RTS), transaction-risk-analysis exemptions with monitoring obligations, and the dedicated open-banking interface (XS2A) for AIS and PIS providers. Pentest coverage targets the SCA implementation (factor strength, replay resistance, dynamic-linking integrity), the XS2A interface (OAuth2 flows, redirect / decoupled / embedded modes, consent management, eIDAS QWAC / QSealC certificate handling) and the fall-back interface where used. PSD3 and the accompanying Payment Services Regulation (PSR) — Commission proposals adopted in June 2023, expected to apply 18 months after final adoption — tighten SCA, expand the open-banking permission framework, formalise the API-quality requirements that PSD2 left ambiguous, and centralise certain rules in directly applicable EU regulation. The engagement maps current PSD2 RTS coverage and flags PSD3 / PSR delta items.

We are in scope for DORA. What does threat-led penetration testing look like in practice?+

DORA (Regulation (EU) 2022/2554) applies from 17 January 2025 to most EU financial entities — credit institutions, payment institutions, EMIs, investment firms, crypto-asset service providers under MiCAR, insurance and reinsurance undertakings, plus ICT third-party service providers designated as critical. Article 26 obliges significant entities to perform Threat-Led Penetration Testing (TLPT) at least every three years, using TIBER-EU as the reference framework. TIBER-EU runs a Generic Threat Landscape (GTL) update, an entity-specific Threat Intelligence (TI) report by an independent TI provider, and an intelligence-led Red Team (RT) exercise by an independent RT provider against live production systems, with central-bank facilitation. The TLPT lasts 4–8 months end-to-end and is governed by a White Team inside the entity plus the TIBER-EU Cyber Team at the national competent authority. AxVeil scopes the TLPT and partners with an authority-recognised provider for the live exercise.

How do GDPR and the EDPB e-banking guidance affect the engagement scope?+

GDPR Articles 5 (lawfulness and purpose limitation), 25 (data protection by design and by default), 32 (security of processing), 33 (breach notification within 72 hours to the supervisory authority), and 35 (data protection impact assessment) all apply to a fintech processing customer data. The EDPB's Guidelines 06/2020 on the interplay between PSD2 and the GDPR is the operative document on consent vs contract legal basis for the XS2A interface, silent-party data minimisation, and AIS / PIS consent boundaries. Engagement reports map findings to the relevant GDPR articles and the EDPB guidance. Cross-border data transfers under the EU-US Data Privacy Framework, the UK Extension and the new EU Standard Contractual Clauses are reviewed for any non-EU processor in the chain.

Our card-issuing programme runs across UK, EU and the GCC. What is the right compliance map?+

PCI DSS v4.0.1 is the constant — it applies wherever cardholder data is processed regardless of jurisdiction. On top of that: UK PSRs 2017 (Payment Services Regulations 2017) plus the FCA Handbook (FIT, SYSC, BCOBS) for UK issuance, with the FCA Operational Resilience policy statement PS21/3 and the parallel PRA SS1/21 expectations on important business services; PSD2 RTS plus national competent authority (BaFin, DNB, Banque de France, Banca d'Italia, CSSF) handbooks for EU issuance; CBUAE PRD (Payment Token Services Regulation) and the UAE Open Finance Regulation for UAE; SAMA Open Banking framework for Saudi Arabia. The engagement maps every test case to the source rule across the relevant jurisdictions so a single evidence pack drops into all parallel supervisory submissions.

MiCAR (the EU crypto-asset regulation) applies to our token-issuance arm. How is that scoped?+

MiCAR (Regulation (EU) 2023/1114) creates a harmonised authorisation regime for crypto-asset service providers (CASPs) and issuers of asset-referenced tokens (ARTs) and electronic-money tokens (EMTs). The technical security expectations land via ESMA RTS and EBA guidelines: governance, ICT risk management, business continuity, custody arrangements, market-abuse monitoring, and the DORA framework as the operative ICT-risk regime for in-scope CASPs. The engagement covers the wallet infrastructure (hot / warm / cold segregation, key-management ceremony, HSM and MPC implementations), the trading and matching engine, the AML / market-abuse monitoring stack, the MiCAR white-paper notification process, and the DORA TLPT obligations once the CASP crosses the threshold. Pre-authorisation engagements run as readiness assessments against the relevant national competent authority (BaFin, AMF, CySEC, MFSA) playbook.

Scope a fintech EMEA engagement

Send the entity type (PI, EMI, AISP, PISP, CASP, neobank, lender), the lead supervisor (FCA, BaFin, DNB, CSSF, Banque de France, AMF, CySEC, MFSA, CBUAE, SAMA), and the next regulator milestone (annual ICAAP / ILAAP, DORA TLPT window, MiCAR authorisation). We respond with a fixed-fee proposal and a TIBER-EU scoping note where relevant.

Request a scoping call →