Partner Onboarding · Paynetics Docs

Paynetics initial process

The partner onboarding process at Paynetics follows a structured approach divided into two main phases — Initial Sales and Pre-Vetting — each managed by specialised teams to ensure comprehensive evaluation and successful integration.

Initial Sales Phase

The process begins with initial sales vetting performed by the Sales team, followed by the standard presales process. A critical early step involves handling Non-Disclosure Agreements (NDAs) prior to signing, typically requiring two weeks for completion. During this phase, Sales verifies that the partner's signatory has proper authorisation according to commercial register requirements.

Commercial agreements are finalised within an estimated two-week timeframe, during which partners must be informed of required collaterals and agree to cover costs for translations, notarisations, apostilles, and other official documentation. The financial arrangements also include provisions for all audit costs, including annual KYC/KYB procedures and emergency audits triggered by regulatory requests or suspected violations.

Agreement template distribution is carefully controlled, requiring alignment with Legal and Management teams before proceeding. Templates are only sent with upper management approval, as this decision transcends Legal authority and is not standard practice for all partners. In exceptional cases, certain clients may receive production environment access with generic programs for testing purposes, though this requires specific agreement between Sales and Management.

The Letter of Intent (LOI) signing process typically extends over 30 days and includes consultancy services for crafting policies and procedures, which must be clearly indicated in the financial offer under agreed commercials.

Pre-Vetting Phase

The Pre-Vetting phase is conducted by a specialised team comprising subject-matter experts from multiple departments including Risk & Monitoring, Compliance, Underwriting, Legal, R&D, Finance, Project Management, Product, and CardOps.

The process begins with collecting and agreeing upon an 8-page pre-vetting questionnaire within seven days. Sales teams are responsible for providing signed LOIs, completing questionnaires, and requesting partners to provide specific policies and procedures as outlined in internal partner selection and control rules.

A comprehensive Risk and Control Assessment follows, managed by Sales according to internal procedures for partner selection and control. Each Paynetics department contributes to this assessment by reviewing provided documentation and evaluating risks using the Distributor Risk and Control Assessment Template. This phase includes reviewing exit plans and business-continuity plans, with Sales consulting Risk teams regarding potential additional collateral or pricing adjustments discovered during assessment.

The Risk Committee Decision phase — which can range from 1 to 20 days — involves Sales coordinating the completion of Risk Committee approval forms based on assessment results. The committee makes final decisions using these comprehensive summaries without requiring additional documentation.

Project Management and Legal Finalisation

Project Management takes responsibility for Statement of Work (SOW) preparation, reviewing questionnaires and creating deliverables using established templates. The SOW includes Finance and R&D statements assessing system architecture and functionality impacts. After consultation with Sales and Product teams and pre-vetting team approval, the SOW undergoes internal agreement processes that can extend from one to three months.

During SOW finalisation, all pre-vetting team members provide specific requirements for their respective areas, with Sales coordinating overall partner communications and timeline estimations. Upon SOW signing, Sales organises comprehensive handover meetings and kick-off sessions with assigned project managers and partners.

For partners requiring BNB registration with Paynetics AD, document collection processes spanning 20–40 days involve gathering required documentation, translation services, and delivery to Legal teams. The Legal team then prepares formal agreements based on Risk Committee decisions and finalised SOWs, typically requiring three to four weeks.

The final stages involve agreement discussions conducted by Sales, incorporating partner feedback and legal reviews, followed by final agreement signing. Sales personnel drive the process to completion while Project Managers handle the collection of setup fees as specified in commercial agreements.

This end-to-end process ensures thorough evaluation, risk assessment, and proper integration of new partners while maintaining regulatory compliance and operational efficiency across all Paynetics departments.

BNB application

Following the initial onboarding phases, partners requiring BNB registration undergo additional legal procedures managed exclusively by the Legal team. The BNB application preparation process spans 7 to 14 days, during which the Legal team compiles comprehensive application materials and forwards the complete document package to external legal experts for thorough review before official submission to the Bulgarian National Bank.

Terms and Conditions & Tariff

Concurrent with the application process, Legal teams draft Terms and Conditions over a period of 1 to 3 weeks. This phase requires close coordination with Project Management teams who provide final, Risk and Finance-approved fee structures and account/card limits for end users. The Legal team integrates these specifications into a comprehensive Tariff document that becomes both part of the Terms and Conditions and an attachment to the agent agreement.

Board approval

A critical governance step involves the Legal team's responsibility for submitting both the Terms and Conditions and Tariff documents to the Paynetics Board for review and approval. For Paynetics AD (PAD) partners specifically, these approved documents serve as the foundation for subsequent BNB notification requirements, ensuring full regulatory compliance throughout the registration process.

Partner responsibilities

The Partner is responsible for submitting the required documents for the BNB registration as stated in the checklist provided by Paynetics.

Due Diligence Phase

Following the BNB registration procedures, the Underwriting team conducts comprehensive due-diligence processes spanning 7 to 14 days. This thorough review encompasses multiple components including detailed examination of partner websites and applications, end-client registration flows, member areas, and service features. The Underwriting team also screens KYC / onboarding vendor settings and performs comprehensive testing to ensure compliance standards are met. All required documentation for this phase is systematically stored in the designated KYB Due Diligence Partner pack repository.

KYC / KYB onboarding review

Concurrent with due-diligence activities, the Underwriting team manages KYC / KYB onboarding review and requirements over a similar 7 to 14 day timeframe. This process involves completion of detailed KYC questionnaires using the Partner KYC Assessment Questionnaire template, with Project Management teams utilising standardised email templates for initial partner communication.

A crucial component of this phase includes the approval of API fields, utilising specific templates for issuing and onboarding fields designed for both Paynetics AD (PAD) and Paynetics UK (PUK) operations, ensuring system compatibility and regulatory compliance across different jurisdictions.

This end-to-end process ensures thorough evaluation, risk assessment, and proper integration of new partners while maintaining regulatory compliance and operational efficiency across all Paynetics departments.

KYC and KYB review

Process of investigating and verifying information about a company and its users, defining the onboarding process and the data fields collected for each end customer.

What are POI and POA?

When conducting Know Your Customer (KYC) verification, proving the identity and address is a crucial part of complying with anti-money-laundering (AML) regulations.

In the UK, the Financial Conduct Authority (FCA) enforces KYC regulations that require institutions to verify both identity and address for customer due diligence. In the EEA, the EU Anti-Money Laundering Directives mandate KYC checks — including address verification — to prevent money laundering, terrorist financing, and fraud.

These regulations are implemented to uphold the security and integrity of financial transactions and services provided by our institution both within the UK and the EEA. By ensuring comprehensive customer verification, we aim to mitigate risks associated with illegal activities, including money laundering, terrorist financing, and identity theft.

In general, a Proof of Identity (POI) document contains the holder's address. A Proof of Address (POA) is a separate check confirming that the customer's address matches the one in the POI. This requirement ensures independent verification of the individual's current residential address and meets regulatory standards.

The absence of an address on the POI requires two independent POAs to meet regulatory standards, ensuring the accuracy of the address information.

Why two independent POAs may be required

Validation — having two proofs of address allows better validation of the individual's address and acts as a safeguard against identity fraud and money laundering. It cross-verifies that the customer resides at the address they provided, which matters in regions with a higher risk of identity fraud or higher-risk customer factors.
Tamper resistance — it ensures that one document (e.g. a bank statement) is not tampered with or forged. It is harder to forge two independent documents from different sources (e.g. a utility bill and a government letter).
Cross-border consistency — the EEA comprises several different countries, each with its own regulations and standards for KYC. Many EEA countries have a higher risk profile for money laundering, terrorist financing, or identity fraud, which prompts a more cautious and comprehensive approach to verifying customer identities.

By requesting two POA documents, we can ensure consistency across borders and compliance with both UK and EEA regulations and thoroughly verify the identity and residence of our customers.

POA document requirements

The proof-of-address documents required may vary by jurisdiction, but in general:

The document must clearly show the customer's name and current address.
Outdated documents (older than 3 months) are usually not accepted.
Mobile-phone bills and insurance documents are typically not accepted because they do not prove the current address effectively.

The geolocation feature can add an additional layer of address verification, making it easier for customers to confirm their location digitally. This process may help reduce the need for traditional physical document verification in some cases, though the secondary traditional POA is still needed to meet regulatory standards.

Acceptable documents as Proof of Address

Bank statement with a visible issue date and the individual's name, issued within the last 3 months.
Utility bill for gas, electricity, water, internet, landline telephone, etc., with a visible date and the individual's name, issued within the last 3 months.
Lease agreement that is current and contains the signatures of the landlord and the tenant.
Letter from a recognised public authority or public servant — e.g. any government-issued correspondence with a visible issue date and the individual's name, issued within the last 3 months.
Credit-card statements.

Alternative proof of address — the documents below are only accepted if they contain an address:

Passport (if it contains the residential address).
National Identity card.
Driving licence (except provisional driving licences).

Example: a customer may provide a Passport as Proof of Identity together with an Identity card containing a visible address as Proof of Address.

Unacceptable documents as Proof of Address

Old utility bill, bank statement, or government-issued correspondence (issued more than 3 months ago).
Provisional driving licence.
Mobile-phone bills.
Non-government-issued pension statements.
Insurance policies.
Transfer receipts.
Invoices.
Bank reference — only acceptable if the document is official, issued by a recognised authority, and contains the residential address.

What is a KYC / KYB or AML refresher?

Refreshers are done on a regular basis. The partner is responsible for conducting AML re-screening and KYC / KYB refreshers, depending on the risk score of the end user, which is sent by Paynetics via API. The partner must also provide the vendor's configuration setup file, which is approved by the Underwriting team.

AML re-screening frequency (by risk score)

Risk score 1 — Low risk: screening every 6 months.
Risk score 2 — Low to medium risk: screening every 1 month.
Risk score 3 — Medium risk: screening every 1 month.
Risk score 4 — Medium to high risk: constant screening.
Risk score 5 — High risk: constant screening.

KYC / KYB refresher frequency (by risk score)

Risk score 1 — Low risk: review every 36 months.
Risk score 2 — Low to medium risk: review every 24 months.
Risk score 3 — Medium risk: review every 24 months.
Risk score 4 — Medium to high risk: review every 12 months.
Risk score 5 — High risk: review every 12 months.

Additional information on KYC / KYB refreshers

To assure accuracy of the data and merchant files, the Underwriting team performs screening on merchant folders applying a risk-based approach, keeping a record of the information, documents, and checks performed.

Ongoing KYC refresh of each business relationship is intended to keep the merchant's identification, the purpose and intended nature of the business relationship, and beneficial-ownership information up to date. It aims to re-assess the AML risk level associated with the client's transactions and activities; it determines whether transactions or activities are consistent with the information previously obtained about the client, including the risk assessment; and it helps understand a client's activities over time so that changes can be measured to detect high-risk or negative deviations.

A merchant's KYC refresh includes:

Checking the Trade Register to verify company details, or requesting an extract from the Trade Register (issued during the last 3 months, showing company details, directors, shareholders / UBOs, share capital) when no information is available.
Reviewing the KYC documents for expired personal documents.
Reviewing licence validity.

If any changes in the company details and structure are detected during the KYC refresh, up-to-date documents and forms must be collected from the merchant. A KYC refresh must also be performed just before a merchant's account closure and execution of the final payout.

Risk and Monitoring Onboarding phase

The Risk and Monitoring review phase encompasses several critical components managed by specialised teams. Program limits approval and pricing processes are jointly handled by Risk and Finance teams within a seven-day timeframe. Project Management facilitates initial communication using standardised Risk and Compliance email templates, while partners must provide comprehensive velocity limits for Risk officer review and approval. These requirements are systematically documented in the designated Fees and Limits setup repository for new-client onboarding review. When fees cannot be configured within the Thredd system, Finance teams coordinate external billing service arrangements to ensure proper implementation.

For Paynetics UK (PUK) operations specifically, Consumer Duty assessments are managed by PUK Compliance over 7 to 14 days. Project Management initiates this process by opening email threads with UK Compliance to trigger comprehensive Consumer Duty evaluations, requiring partners to complete detailed assessment forms through the designated Consumer Duty platform.

Strong Customer Authentication (SCA) audit reviews are conducted by Risk officers within seven days, with Legal and Underwriting teams copied for comprehensive oversight. The collaborative review process covers both PUK and PAD operations. Upon completion, Legal teams use the findings to inform agent agreement drafting, maintaining consistency between risk assessments and contractual obligations.

What is the PCI DSS / SAQ?

PCI DSS compliance is required for any business that stores, processes, or transmits cardholder data. If you intend to provide the cardholder with any card details via API (CVV, PAN, etc.), you need to be PCI DSS Level 1 certified or perform an SAQ (when integrating with the Paynetics SDK for secure card details).

PCI DSS Level 1 requires a ROC, allowing partners to show card details securely.
PCI DSS Levels 2, 3 or 4 require an SAQ and mandate integration with the Paynetics SDK for app/web platforms; additional SDK pricing is included in offers.
PCI DSS is not required if the partner does not want to show card details in its app/web platform.

Card details include PAN, CVV, and expiration date.

What is the PEN test?

A PEN test evaluates the security of the system. The Penetration (PEN) test is performed on the client-facing platform to ensure there are no vulnerabilities that may expose Paynetics or our partners to risk. The main goal is to identify weaknesses, including the potential for unauthorised parties to gain access to the system's features and data. PEN tests must be performed regularly depending on the project scope — most scenarios are annual.

What is an SCA audit?

Short answer. SCA — Strong Customer Authentication — ensures that electronic payments are performed with multi-factor authentication, increasing the security of electronic payments. SCA audits are performed regularly depending on the project scope; most scenarios are annual.

Long answer. The security audit is based on Delegated Regulation (EU) 2018/389, supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. The audit assesses the partner's compliance with the relevant security measures in accordance with the requirements set out in Delegated Regulation (EU) 2018/389 — and in particular the applicable security measures for the application of Strong Customer Authentication (Articles 4–9), the admissible exemptions (Articles 10–21), and the protection of the confidentiality and integrity of the payment service users' personalised security credentials (Articles 22–27).

When does an SCA audit need to be performed?

The authentication process requiring SCA applies when the partner is providing the following services to its customers:

Access to payment accounts via internet/mobile banking.
Electronic payments via internet/mobile banking.
Other remote activities such as internet/mobile banking registration, mobile-app activation, password reset, trusted-beneficiary registration, etc.

Paynetics can provide a scope description of what an SCA audit should contain.

Does Paynetics conduct PEN, SAQ, and SCA audits?

No — Paynetics is not a QSA (Qualified Security Assessor). An approved QSA can be found on the PCI Council website. Paynetics may offer to introduce you to a trusted partner for running the audits. The benefits include lower cost and quicker response in terms of scoping and testing thanks to a long-term partnership with the compliance auditing company.

In addition, Paynetics requires written confirmation if your company would agree to Paynetics being copied in correspondence with the compliance auditing company.

Paynetics marketing information, product and promotions requirements

Why is this important?

Generally, those are materials that the partner uses to place the offered service — ads, brochures, newspapers, blogs, social-networking sites, etc. Paynetics, as licence holder, remains responsible for all customer-facing content.

Paynetics must ensure that all our end clients are treated fairly and that the information communicated to them with regard to Paynetics services and products is "clear, fair and not misleading."

As a B2B organisation, Representatives and Partners produce marketing and promotional material to be shared with Paynetics' end clients, but as the regulated entity, Paynetics remains responsible for all client-facing content that relates to Paynetics' services and/or products offered through the Representative/Partner.

Therefore, rules and requirements apply to all of Paynetics' Representatives (incl. Programme Managers, BNB Agents, Distributors) and any other partner (e.g. Technical Providers) or third party that may produce marketing/promotional material and/or product/services information in relation to services and products offered by Paynetics to end clients. Checks must be carried out and recommendations may be made or changes required based on findings.

What communication / information is in scope?

Essentially any material about Paynetics as a firm and the services/products it offers, which is made available to end clients, is covered by the Marketing Information, Product and Promotions Requirements. Examples include, but are not limited to:

Product brochures.
Newspaper and magazine advertising.
Google AdWords.
Terms and Conditions (with a particular focus on Summary Boxes).
Press Releases.
Mailshots and Card Carriers.
Website content, website links, RSS feeds and blogs.
Digital marketing campaigns.
Social-networking sites such as Facebook and Twitter.
Smartphone applications.
Group presentation aides.
Sales aides.
Telemarketing material.

What is required?

Paynetics and all our Partners and Representatives must ensure that due regard is paid to the information needs of our end clients and that information is communicated in a way which is clear, fair, and not misleading with respect to the activities of Paynetics as an EMI.

The information itself must also be complete, accurate and not misleading. In good time before Paynetics issues e-money to an end client, it must be communicated to that end client on paper or in another durable medium that the compensation scheme does not cover claims made in connection with issuing electronic money.

In good time, each end client must be made aware of:

Who the payment service provider is (i.e. Paynetics) and the fact that the Representative is acting on the Company's behalf.
The Terms and Conditions applicable to the specific end client (as agreed with Paynetics).
Any applicable fees and charges.
The main characteristics of the service/product offered.

How does this work in practice?

Paynetics must approve all marketing/promotional material and/or product/services information prepared for end clients that relates to regulated products/services offered by the Representative on behalf of Paynetics. This approval must be obtained by the Representative prior to making the relevant materials available to the public. This also includes marketing/promotional materials and/or product/services information that are not specifically targeted to end clients (e.g. B2B promotions) but that refer to products/services offered by the Representative/Partner on behalf of Paynetics.

Changes to already-approved marketing/promotional materials and/or product/services information must also be approved (regardless of whether they have been made available to the public or not).

Non-approved marketing/promotional materials and/or product/services information may not be made available to the public. Paynetics aims to review materials within 5 business days and feedback will be provided to the Representative/Partner (incl. requests for amendments, changes, etc.).

Partners are encouraged to discuss all planned changes with their Account Manager in advance and submit them through the Account Manager — or directly to Compliance@Paynetics.digital — for any planned changes/communications/materials.

How to ensure compliance? Guiding principles

When Partners/Representatives provide marketing/promotional material and/or product/service information to end clients, the following high-level principles must be adhered to:

Promotions must be presented in a way that allows the target audience to understand the product. End clients must be given the information they require to make informed decisions, and information should be clear, concise, consistent and consumer-friendly.

The intended purpose and key features of any promoted product should be explained and include all associated charges and fees. A communication or any marketing material may not describe a feature of a product or service as "guaranteed", "protected" or "secure" — or use a similar term — unless the information may be regarded as fair, clear and not misleading.

Each material made available to an end client must:

Include the name of the Representative and Paynetics, as appropriate, to make it clear who provides the service/product. The name of the firm or other provider may be a trading name or shortened version of the legal name, provided the target audience can identify the Representative and Paynetics.
Be accurate and, in particular, not emphasise potential benefits without also giving a fair and prominent indication of any relevant risks.
Be sufficient for, and presented in a way that is likely to be understood by, the average member of the group to whom it is directed or by whom it is likely to be received.
Not disguise, diminish or obscure important information, statements or warnings.

Any information about exchange rates must be provided to Paynetics for pre-approval, even when a Representative does not consider it to constitute marketing/promotional material. This includes information that gives the impression that a specific rate is not available to clients or information about conversion-rate charges, etc.

A false or misleading impression about the product must not be made — for example, stating or implying that Paynetics is providing a service which it is not authorised to do, such as:

Referring to Paynetics or any of its services/products using terms like "bank", "neo-bank", "bank-like", "bank account", or "bank transfer".
Referring to savings/deposit accounts — Paynetics does not offer such accounts.
Referring to overdrafts.
Proposing/implying that Paynetics products and services may be used not in line with the approved business model and applicable T&Cs.

Technical Integration Phase

Sandbox environment development

The development team establishes comprehensive test environments tailored to each partner's confirmed scope and approved API fields. Program-code creation follows standardised naming conventions with two distinct scenarios. Partners must supply HTTPS URLs for webhook reception, and the Project Management team helps secure Jira access via Support requests that include organisation names and user contact details. Once tasks conclude, partners receive sandbox credentials enabling environment access and testing.

Top-up configuration

This phase involves setting up the Merchant ID and Paynetics payment-page systems. Production top-up work starts with creating a production instance, after which partners fill out forms for Account Funding Transactions or Original Credit Transactions through the Pack Acquiring program, providing application URLs for Google, Apple, and web platforms. Project Management then sends these forms to Underwriting with MID-creation specifications. Partners may select standard Paynetics payment pages or custom versions requiring CSS files for personalisation.

Production environment setup

Creating a production environment demands coordination across teams based on confirmed scope and approved API fields. Project Management first confirms all setup fees and invoices are paid and recorded in the Projects Details repository. Partners must complete comprehensive end-to-end testing in test environments before switching to production.

Project Management notifies all Paynetics departments and obtains explicit confirmations that partners are ready for activation, including CardOps and Development team verifications of fees and limits. Security requirements mandate that partners submit PGP keys in .gpg and .asc formats. Partners then conduct "friends and family" testing and provide Go-Live projections. Two weeks before launch, Account Management assigns account managers and Project Management facilitates handover meetings where Go-Live letters are issued.

SDK for in-app provisioning

The Mobile Development team offers SDK endpoints for partners needing in-app provisioning when PCI DSS certificates are unavailable or resources are limited. Prerequisites include completed Apple and Google Pay setup with properly configured Apple entitlements. Project Management provides comprehensive SDK documentation covering backend, iOS, and Android implementation guidelines. Partners develop endpoints enabling card addition to Google and Apple Pay platforms, providing these to Paynetics for SDK operations. Partners complete integration and testing before pursuing In-app Provisioning Lab certification.

Card Set-up Phase

Card setup operations

The CardOps team oversees a comprehensive card-setup process to prepare partners for issuing procedures through coordinated activities. Design review and approval involves collaboration between CardOps teams, card schemes, and card bureaus, with Project Management providing guidance documents and standardised email templates. For VISA partnerships, this includes completing Co-Branding Forms and configuring VISA Token Service (VTS) settings, while Mastercard implementations require Mastercard Digital Enablement Service (MDES) configuration.

Partner fee and limit setup requires Risk department approval, with CardOps and Development teams handling standard configurations. When standard Paynetics systems cannot establish fees, Finance teams coordinate external billing services for complete implementation. Digital-wallet integration encompasses Apple Pay and Google Pay setup, requiring partners to complete Apple Opportunity questionnaires and provide documentation through the Apple Pay registration repository. CardOps teams register partners in the Apple Partner Hub Portal, granting access to complete designated tasks.

Card-stock ordering follows design approval. Partners confirm and order physical card production while defining delivery methods. CardOps teams request quotations from Allpay, including chip-validity confirmations, while Project Management provides pricing to partners with applicable mark-ups based on LOI or agreement terms. Partners receive guidance on chip-expiry implications and dates. Upon order confirmation, Finance teams prepare invoices containing chip references and expiry information. Payment completion triggers CardOps confirmation to Allpay for order processing.

Integration completion between card bureaus and processors is managed by CardOps. Pavement testing requires careful coordination. Partners receive advisement for test-card delivery via DHL to prevent delays, with same-day notification protocols ensuring CardOps can update delivery methods appropriately. Test requests must be submitted during business hours before 17:00 EET to maintain efficiency.

Regarding the card design

Card asset format.

Virtual and digital cards require RGB, 1536 × 969 px PNG (up to 3 MB).
Physical cards need CMYK, Greyscale or Duotone format.
Please ensure that the design files do not have rounded corners. All edges should remain sharp / square.

General requisites (must have).

Card scheme logo: Mastercard / Visa.
Program identifier: Debit.

App icon format.

PNG image.
RGB colour format.
100 × 100 px.

Templates and standards regarding card scheme are available as attachments. Note that small differences exist in requirements for physical, virtual, and digital card design. Partners should define whether they will perform active or passive solicitation, as this decision reflects on the card setup.

Type of solicitation

Active solicitation is a marketing approach where partners target people in a social channel in their native language. The marketing program is personalised for a specific country, with partners providing a list of countries where active solicitation will occur and volume projections of card issuing and delivery per country.

Passive solicitation is a marketing approach where the partner does not target a specific group of people, does not perform commercials in social channels, and does not personalise commercials for a specific country. Partners maintain only a website where ordinary visitors can register.

Regarding card stock

Order. Paynetics has a partnership with the Allpay card bureau. The minimum card Purchase Order is for 1,000 cards. Allpay handles production and delivery. The agreement specifies a spoilage rate of no greater than 5% for paper stock and 3% for card stock. Deviations in purchase order and delivery are possible, with the card bureau providing no compensation for spoiled cards.
Card stock. The card bureau maintains card stock. The partner is responsible for card-stock order and payment. A 15% mark-up may apply according to the financial proposal.
Leaflet stock. Paper-stock requirements depend on design specifications. For generic, unfinished A4 paper, leaflet stock is not required. The partner is responsible for paper-stock order and payment, with a potential 15% mark-up.
Envelope stock. Requirements depend on design specifications. Generic envelopes are free of charge and Paynetics is responsible for envelope-stock order and payment. For any other envelope design, the partner takes responsibility, with a potential 15% mark-up.
Card delivery. Delivery options include Royal Mail, Bulgarian Mail, or DHL, depending on partner preference. Partners receive monthly invoices for the total amount of shipped cards during the preceding month, with a potential 15% mark-up.

Regarding Apple / Google Pay tokenisation

Key note.

VISA: Tokenisation can only be enabled if both Apple Pay and Google Pay are activated together. Enabling tokenisation for only one platform is not supported under VISA's current setup.
Mastercard: Selective tokenisation is supported. You may launch Apple Pay or Google Pay independently.

Apple Pay. Registration occurs through Apple's Partner Hub platform. Partners receive an invitation email after completing the required form. Apple requires all partners to implement both manual and in-app provisioning and to pass a LAB certification with approved Apple laboratories.

If Paynetics is the technical app provider, Paynetics is responsible for both in-app provisioning setup and LAB certification, according to the current agreement.
If the partner uses their own app or another technical provider, the app must be PCI DSS Level 1 compliant regarding in-app provisioning SDK requirements. The partner is responsible for conducting LAB certification. PCI DSS Level 1 compliance is not required if the app integrates with the Paynetics in-app provisioning SDK, though the partner remains responsible for LAB certification.

Google Pay. Registration is conducted via email, facilitated by Paynetics. Currently, Google does not require manual and in-app provisioning at the same stage.

If Paynetics is the technical app provider, Paynetics is responsible for in-app provisioning setup.
If the partner uses their own app or another technical provider, the app must be PCI DSS Level 1 compliant regarding in-app provisioning SDK requirements. PCI DSS Level 1 compliance is not required if the app integrates with the Paynetics in-app provisioning SDK.

In-app provisioning. In-app provisioning for both Apple Pay and Google Pay requires technical integration. Paynetics can provide a commercial offer for SDK in-app provisioning integration, or partners may develop the SDK independently.

Dedicated BIN setup

For partners requiring individual BIN configurations, Project Management coordinates with CardOps and organises partner kick-off meetings. Project Management maintains continuous alignment with card-scheme project progress to ensure seamless implementation.

A Program defines the configuration under which accounts and cards operate.

Programs specify supported currencies, account and IBAN generation rules, availability of virtual and physical cards, and default card behaviour such as limits, fees, usage controls, and wallet enablement.

Each account is created under a specific program and references it via a program code, which is provided during partner onboarding.

Programs establish default behaviour at both account and card levels. These defaults can be refined later through API configuration where applicable.

Finance Set-up

Finance teams manage financial project-setup requirements, with Project Management coordinating commercial discussions when partners request Paynetics account-opening services. Commercial terms must be properly declared in Framework Agreement account API documentation to ensure transparent financial arrangements and proper system configuration.

This end-to-end process ensures thorough evaluation, risk assessment, and proper integration of new partners while maintaining regulatory compliance and operational efficiency across all Paynetics departments.

Pre-Go Live Preparation

Pre-Go-Live finalisation

The implementation's concluding stage involves securing regulatory approvals, performing technical checks, and confirming operational readiness. Legal teams manage agent registration approval over approximately three to four months, starting with regulatory notification and formal registration procedures. Once the Bulgarian National Bank (BNB) grants successful registration, Project Management updates partners and coordinates the launch schedule.

For Paynetics AD operations, Legal teams handle BNB notifications requiring 15-day processing periods. Project Management confirms launch dates with partners while Legal teams notify BNB of planned dates and submit required Terms and Conditions and Tariff documentation, triggering mandatory two-week notice periods where the BNB may offer regulatory feedback.

Paynetics UK operations require Financial Conduct Authority notifications managed by the PUK Chief Risk and Compliance Officers within three to five days, covering distributor business-model details and assessments of whether critical functions will be outsourced per European Banking Authority guidelines.

Production validation and final checks

Project Management directs production-testing validation spanning three to four days, beginning with PROD credential distribution and test scenario declarations via standardised email templates. Support and Project Management coordinate technical-integration validation through partner checklists; Finance confirms fee collection and setup configurations with required system accounts; CardOps validates payment-testing functionality.

Pre-Go-Live checks and training procedures require seven to ten days for completion, including website-footer implementation, specialised training on chargebacks and consumer-duty requirements, and comprehensive user-onboarding reviews covering registration processes, Terms and Conditions access, and website consistency.

Compliance verification involves KYC and Underwriting teams reviewing all production test end-clients, configuring AML monitoring rules in NOTO systems, and coordinating card-scheme registrations. Final activities include partner satisfaction surveys, project documentation updates, PM-AM handover with Marketing team involvement, and formal Go-Live letter issuance.

Partner Managed KYC and KYB

If you already have an established customer-onboarding process or wish to retain greater control over the onboarding flow, Paynetics offers the flexibility for you to manage your own KYC (Know Your Customer) and KYB (Know Your Business) processes.

This setup is subject to prior approval and ongoing oversight by Paynetics to ensure full alignment with our regulatory, security, and risk-management standards.

Approval process

Before you can operate under the Partner Managed KYC/KYB model, Paynetics must review and approve:

Your selected KYC / KYB vendors.
Your onboarding procedures and policies.
Your system architecture and controls.

The list of required verifications and documentation will be tailored to your business model and customer risk profile and will be provided by Paynetics during the onboarding of your program.

Evaluation steps

1. Demonstration of your KYC / KYB process — a detailed walkthrough of your customer-onboarding journey.
2. Audit of policies and procedures — a thorough review of your KYC / KYB documentation, workflows, and control points.
3. Vendor review — assessment of the external providers supporting your KYC / KYB process.
4. System access — Paynetics will require direct access to your KYC / KYB systems for monitoring and audit purposes.

Ongoing responsibilities

You must provide Paynetics with real-time submission of all KYC / KYB documents, verification reports, and vendor checks via the Onboarding API.

Paynetics reserves the right to override any verification decision at any time.

Annual AML audits of your vendors and processes will be conducted, with increased frequency if dictated by monitoring outcomes or customer risk profiles.

Gradual autonomy

Initially, all customer-verification decisions will require Paynetics' approval. Once your processes consistently meet our standards, you may be granted the ability to onboard customers independently — subject to random, ongoing checks by Paynetics and full process audits conducted annually, semi-annually, or more frequently if risk factors warrant.

If any breaches of policy or regulatory standards occur, Paynetics may reintroduce stricter control levels, require additional approvals, or temporarily suspend the onboarding of new customers in serious cases.

Key considerations

You must maintain full audit trails for all KYC / KYB decisions.
Paynetics will regularly review your system configuration, vendor management, and data-handling practices.
All changes to your KYC / KYB flows, vendors, or risk policies must be communicated to Paynetics in advance for review and approval.