Once your platform touches the flow of funds between buyers and sellers, you stop being a software company in the eyes of a regulator. You become a party in the payment chain, and the chain comes with three separate rulebooks: payments licensing, anti-money-laundering, and sanctions. Most teams discover this in the wrong order, usually when a bank partner sends a questionnaire or freezes a settlement account.

This lesson maps those three regimes and, more usefully, shows where liability actually lands when each one is breached. The earlier modules covered who moves the money (Module 1), how settlement splits (Module 2), and who carries merchant-of-record status (Module 3). Compliance is downstream of all of those choices, and it is rarely where you can defer the question.

PSD2, the commercial agent trap, and PSD3

In the EU and UK, the threshold question is simple to state and easy to get wrong: are you providing a regulated payment service? If you receive funds from a buyer and pass them to a seller, you are likely providing one, and that requires authorization as a payment institution or e-money institution, or operating under a licensed partner's permissions.

Platforms have historically leaned on the commercial agent exemption in PSD2 to avoid a license. The exemption is narrow. It only applies when you act on behalf of one side, either the payer or the payee, not both. The moment you sit between buyer and seller as a neutral intermediary, which is what most marketplaces actually do, the exemption stops covering you.

PSD3 and the accompanying Payment Services Regulation (PSR) tighten this further. The Commission published the proposals on 28 June 2023, and the Parliament and Council reached provisional agreement on 27 November 2025. Under the new text, the commercial agent exemption only applies where the agent has authority to negotiate for the payer or the payee but not both, and the arrangement gives that party a real margin to negotiate. That added "real margin" test removes most of the room marketplaces used to rely on. If you have been building on the exemption, treat PSD3 as a forcing function to either get authorized or move funds onto a licensed partner.

What "licensed partner" actually buys you

Working under a payment facilitator or a licensed PSP shifts the regulatory permission onto their balance sheet, not the compliance work. You still run onboarding, monitoring, and screening to the standard your partner's regulator expects, because their license is on the line for your behavior. This is the structural trade Module 7 contrasts across PayFac, marketplace, and orchestration models.

SCA and chargeback liability

Strong Customer Authentication is where PSD2 liability becomes concrete per transaction. SCA requires authentication using two independent factors from separate categories (knowledge, possession, inherence) on most electronic payments, with a set of exemptions (low value, transaction risk analysis, trusted beneficiaries) that let you skip the friction.

The liability rule is the part teams miss. When the issuer applies SCA or grants an exemption it controls, fraud liability sits with the issuer. When you or your acquirer request an acquirer-side exemption and the issuer honors it, the chargeback liability stays with you. Exemptions are not free passes. They are decisions to retain risk in exchange for conversion, and the cost lands as chargebacks you cannot represent away.

AML and sanctions: the obliged-entity question

AML and sanctions are a different regime with a different trigger. The question here is not "do you need a payments license" but "are you an obliged entity." If you are a payment institution or e-money institution, you are. That makes you responsible for KYC and KYB on sellers, ongoing transaction monitoring, suspicious activity reporting, and sanctions screening against lists like OFAC and the EU consolidated list.

The EU is consolidating these duties into a single rulebook. The AML Regulation (Regulation (EU) 2024/1624) applies directly across all member states from 10 July 2027, removing the patchwork of national transpositions that defined the 5AMLD era. The new Anti-Money Laundering Authority (AMLA), based in Frankfurt, began operations in July 2025 and will directly supervise a set of the highest-risk cross-border obliged entities from 2028. The list of obliged entities also widens to include crypto-asset providers and crowdfunding platforms, so "we are just software" is a weaker defense each year.

Sanctions sit alongside AML but operate on strict liability. There is no risk-based exemption for processing a payment to a sanctioned party. You either screened and blocked it or you did not.

A worked example

A UK marketplace runs split settlement: buyers pay, the platform takes a fee, sellers get paid out. The team treats itself as a tech company and skips seller screening, reasoning that its PSP handles compliance.

A seller turns out to be a front for a sanctioned entity. The platform processed three payouts before a screening hit surfaced at the PSP. Here is where each regime lands:

One unscreened seller, four distinct liabilities, none of which the platform thought it owned.

The takeaway

Liability in a multiparty flow does not sit where the money rests. It sits where the duty was assigned, and those duties come from three regimes at once. PSD2/PSD3 decides whether you may move the funds, and AML asks whether you knew your sellers. Sanctions is the strict-liability backstop: did you screen them or not. A licensed partner can carry the permission but not the obligation; the screening, monitoring, and reporting work stays with whoever onboarded the seller. Map each duty to a named owner before you process a single payout, because the regulator will do exactly that after the fact.

← Previous
PayFac vs Marketplace vs Orchestration: Picking Your Regulatory Model
Next →
Who Eats the Chargeback When Three Parties Touch the Sale