The First 90 Days

The license is granted. The congratulations come in. And then the next morning arrives.

The license itself doesn't process a single payment. It doesn't onboard a single merchant. It doesn't settle, reconcile, or safeguard anything. It's a permission slip, waiting for activation. What happens in the first 90 days after approval determines whether the institution actually becomes operational – or spends the next year firefighting.

Most of the attention in the industry goes to getting the license. Very little is written about what comes after. And that's where most payment institutions quietly fall behind.

The license needs to be activated, and the activation period is usually limited. That means the operational infrastructure must be ready – not in theory, not on a slide deck, but in production.

Payment rails need to exist. Banking relationships need to be live, not "in discussion." Safeguarding accounts need to be opened and activated as soon as possible, as soon as the license is granted. Settlement flows from IPSs and card schemes need to be tested and confirmed. The connection between processing and finance needs to work end to end.

If any of these are missing on activation day, the institution is licensed but not operational. And regulators notice.

This is where the planning done during the application meets reality. The business plan said "we will offer card acquiring and SEPA payments." Now those rails need to actually exist and work.

For card acquiring, that means a live connection to at least one processor or scheme, BIN sponsorship or principal membership confirmed, and the ability to actually process a transaction from a merchant's terminal or checkout through to settlement. Not a test transaction in sandbox. A real one.

For SEPA or other payment rails – the banking partner needs to be connected, IBAN infrastructure in place, and the institution needs to be able to send and receive. If processing currencies are different from settlement, or payments are executed with a conversion element, the partner (bank or liquidity provider) needs to be ready, the accounts operational, and there needs to be a mechanism to feed execution rates into the system and add markups.

The most common mistake here is assuming that because contracts were signed during the licensing phase, everything will just "turn on" when the license arrives. It doesn't. Every integration has a last mile, and that last mile always takes longer than expected.

The safeguarding framework was described in the license application. Now it needs to work.

That means segregated accounts are open at an eligible financial institution. The institution can actually move funds into them. The process for splitting client funds from own funds is operational – ideally automated, but at minimum clearly documented and executable within the T+1 window.

If the institution plans to hold rolling reserves separately, that's a third account with its own reconciliation stream.

The biggest risk in the first 90 days is that safeguarding is "set up" on paper but the actual mechanics – the daily splits, the fund movements, the reconciliation – haven't been tested in a live environment. The first real settlement exposes every gap.

A licensed institution with no merchants is just an expensive holding structure. Onboarding needs to be functional from day one of activation.

That means the KYC/AML process works end to end. Not just the compliance policy – the actual workflow. Can a merchant submit documents? Is there a screening process? Who approves? How long does it take? What system holds the records? And more importantly – how is the transaction monitoring functioning? What is its accuracy rate? The goal is not to miss the restricted transactions, but also not to have false positives that add to the noise and manual work.

Pricing needs to be ready – rate plans, fee schedules, contract templates. The commercial team needs to be able to quote and sign, not wait for someone to build a spreadsheet. And once signed, can the system work with the terms that are actually sold? Sounds cliche, but the mismatches do happen.

And critically, the onboarding process needs to connect to the operational chain. When a merchant is approved, does the gateway know? Does the settlement engine know? Does finance know? Or does someone need to manually update three different systems?

The institutions that onboard their first merchant smoothly are the ones that designed the process before the license arrived. The ones that scramble are the ones that treated onboarding as "a sales problem" rather than an operational architecture problem.

During the application, the team structure was presented to the regulator. Key function holders were approved. Now those people need to actually do their jobs.

The compliance officer needs live monitoring tools and transaction screening, not just policies in a folder. The finance function needs access to data, a working ERP, and the ability to produce the reports promised to the regulator. Operations needs documented processes – not aspirational ones, but ones that reflect how things actually work in week one.

The most dangerous assumption is that the team will "figure it out as we go." They will – but the cost of figuring it out in a live regulated environment, with real client funds, under regulatory observation, is significantly higher than designing it beforehand. And the probability that clunky legacy processes get built instead of seamless, scalable ones is extremely high when that happens.

The first 90 days are not a grace period. Regulators expect that what was described in the application is what gets delivered. Supervision doesn't start after the institution has had time to "settle in." It starts immediately.

That means the reporting framework needs to be ready. The first regulatory submission needs to be accurate and on time. If the regulator asks to see the safeguarding reconciliation or the settlement process, the answer cannot be "we're still setting that up."

Building a productive relationship with the supervision team starts here. Being proactive, transparent, and prepared in the early interactions sets the tone for everything that follows.

The first 90 days should be boring. Rails work. Safeguarding runs. Merchants onboard. Reports submit. Nobody is scrambling, nobody is improvising, nobody is explaining to the regulator why something isn't ready yet.

That only happens when the operational architecture is designed before the license arrives – not after. The application should be the blueprint for how the business runs, not a document that gets filed and forgotten.

Because by day 91, the regulator isn't asking whether the institution is licensed. They're asking whether it's operational.