Skip to content
RiverCore
Crossmint Lands PSD2 License, Stacks It on MiCA for EU Stablecoins
Crossmint PSD2 licenseMiCA authorizationEU stablecoinsCrossmint EU stablecoin payments vendorPSD2 MiCA dual license Spain

Crossmint Lands PSD2 License, Stacks It on MiCA for EU Stablecoins

4 Jul 20267 min readMarina Koval

Any platform lead in an EU neobank, remittance shop, or payroll fintech who is currently sketching a stablecoin roadmap on a whiteboard just had their vendor shortlist rewritten. On July 3, a Madrid-headquartered infrastructure provider quietly stacked a payments license on top of a crypto license, and in doing so removed one of the more expensive line items in a stablecoin build: the second vendor. The next 90 days of architecture decisions in Frankfurt, Paris, and Dublin are going to look different because of it.

What Happened

Crossmint has been authorized as a Payment Institution by the Bank of Spain under PSD2, as Voice of Alexandria reported. That authorization sits on top of a MiCA class 2 authorization the company received earlier in 2026 from Spain's CNMV, plus a completed CASP registration that unlocks passporting across all 27 EU member states.

The stack matters more than either license in isolation. MiCA governs how a firm can hold and administer crypto-assets, including stablecoins classed as e-money tokens. PSD2 governs how a firm can move money as payments, with strong customer authentication, defined fraud liability, and enhanced prudential safeguards baked in. Historically these were two separate vendor problems. Now they are one.

Co-Founder Rodri Fernández Touza framed the ambition in plain terms: the company wants to serve "enterprise fintechs, neobanks, remittance providers, and payroll platforms" that need to "adopt stablecoin rails and transform how money moves globally," and doing that in the EEA "means operating under the full regulatory stack." General Counsel Miguel Zapatero pushed the point harder, claiming Crossmint is "among the first stablecoin infrastructure providers in the EU operating under both frameworks."

The practical consequence, as the company describes it: custodial wallets and transfer infrastructure are now governed by both MiCA and PSD2 simultaneously, and the historical requirement to partner with a separately licensed payment provider to execute e-money token transfers on behalf of clients has been removed.

Technical Anatomy

Before this authorization, the reference architecture for a European fintech wanting to offer stablecoin payments looked like a Rube Goldberg diagram. You had a CASP holding the tokens, a licensed payment institution executing the actual value transfer on behalf of end customers, KYC and AML controls duplicated across both, and a compliance officer trying to reconcile two audit trails against two supervisors. Every hop in the flow added latency, added counterparty risk, and added a contract with a renewal clock.

The engineering pain lived in the reconciliation layer. When a payroll platform sent EUR-denominated stablecoin to a contractor's wallet, the CASP saw a token transfer, the PI saw a payment instruction, and the fintech's own ledger had to prove they were the same event within the settlement window. Idempotency across two regulated systems is not a fun problem. Neither is inheriting one vendor's incident response timeline when the other vendor's regulator asks questions.

Consolidating both authorizations into a single provider collapses that reconciliation. Custody and payment initiation happen inside one regulated perimeter, one audit trail, one set of SCA flows. PSD2's strong customer authentication requirements, which typically mean two-factor challenges with dynamic linking to transaction amount and payee, can be implemented once at the wallet layer rather than bolted on downstream. Fraud liability, which under PSD2 sits with the payment service provider unless customer negligence is proven, is no longer a hot potato between two vendors trying to point at each other.

There is a technical trade-off worth naming. Concentration risk goes up. If your entire stablecoin flow, from custody through settlement, sits with a single provider, then their outage is your outage, their compliance breach is your headline, and their contract terms are your unit economics. The old patchwork was expensive but it was diversified. Anyone modeling this decision should compare the reconciliation cost savings against the concentration premium, and probably still keep a second custody path warm.

Who Gets Burned

The most immediate pressure lands on standalone European CASPs who built on the assumption that MiCA authorization alone was a durable moat. It's not. MiCA gets you into the room. PSD2 is what lets you actually move the money without renting someone else's rails. Any CASP whose deck still says "partnerships with licensed PSPs" as a strength is now describing a cost center, not a feature.

Second in line: the EMI and PI providers who have been quietly picking up stablecoin transfer volume as the crypto-native side of the flow. Their use over CASP partners just decreased. If Crossmint can offer a bundled MiCA-plus-PSD2 product to a Tier-2 neobank, the neobank's negotiation with its incumbent EMI on stablecoin corridors gets sharper overnight. Expect renewal cycles in Q4 to include some uncomfortable pricing conversations.

Third: internal build teams at larger fintechs and neobanks who pitched their boards a two-year in-house licensing roadmap. Those roadmaps looked defensible when the alternative was assembling three vendors and managing them. They look less defensible when a single external provider can offer the full stack under Spanish supervision with EU passporting. The build-vs-buy math for stablecoin infrastructure just shifted meaningfully toward buy for anyone who is not already at scale.

The General Counsel at any mid-sized European fintech evaluating stablecoin payments this week should be asking their Head of Platform a specific question: what is the fully loaded cost, including personnel, of maintaining our current multi-vendor stablecoin arrangement over the next 24 months, and how does that compare to consolidating onto a single MiCA-plus-PSD2 authorized provider with a documented exit clause? If the answer isn't already on a slide, that slide needs to exist by the end of the month.

Playbook for Crypto and DeFi

For teams building stablecoin products into the EU, three moves are worth putting on the calendar this quarter.

First, re-scope the vendor RFP. If your current shortlist assumes separate CASP and PI relationships, add a column for single-provider full-stack authorization and re-run the TCO. Include reconciliation engineering headcount, incident coordination overhead, and the cost of dual compliance audits. This is the number your CFO actually cares about, and it's usually 30 to 50 percent larger than the sticker price of the vendor contracts alone.

Second, pressure-test concentration risk explicitly. A single regulated provider handling both custody and payment execution is operationally cleaner and strategically riskier. Insist on contractual portability of KYC records, wallet address histories, and transaction data. Insist on a documented migration path to a second provider inside a defined window. The best time to negotiate an exit is at signing, not at renewal.

Third, rethink hiring. The talent profile for a stablecoin platform lead in 2024 was crypto-native engineer who could read a whitepaper. The profile for 2026 is someone who can read PSD2 Article 97 on strong customer authentication and a MiCA Title III whitepaper with equal fluency. That person is scarce and getting scarcer. Recruit accordingly, and probably overpay by 15 to 20 percent versus your current comp bands.

Key Takeaways

  • A single provider holding both MiCA class 2 and PSD2 PI authorization in Spain, with CASP passporting across all 27 EU member states, changes the reference architecture for stablecoin payments in the EEA.
  • The multi-vendor patchwork of separate CASP and licensed payment provider relationships now looks like a cost center rather than a diversification strategy.
  • Concentration risk rises materially when custody and payment execution consolidate into one regulated counterparty. Exit clauses and portability need to be negotiated at signing.
  • PSD2's strong customer authentication, fraud liability, and prudential safeguards move from downstream bolt-ons to native wallet-layer requirements.
  • Build-vs-buy math for EU stablecoin infrastructure has tilted toward buy for any fintech not already operating at licensing scale, and internal roadmaps need to be re-defended this quarter.

Teams evaluating stablecoin payment infrastructure in Europe should now be asking themselves a sharper question than "which CASP." The right question is which single counterparty they are willing to consolidate custody and payment execution into, on what contractual terms, and with what documented path out if the concentration bet goes sideways.

Frequently Asked Questions

Q: What is the difference between MiCA and PSD2 for stablecoin providers?

MiCA governs how a firm can hold and administer crypto-assets, including stablecoins classified as e-money tokens, and requires CASP authorization. PSD2 governs the movement of money as payments, with strong customer authentication, fraud liability rules, and prudential safeguards. A provider needs both to offer end-to-end stablecoin payment services without partnering with a separate licensed payment institution.

Q: Why does Crossmint's Spanish authorization matter across the EU?

Because CASP registration with Spain's CNMV allows passporting across all 27 EU member states under MiCA, and PSD2 authorization from the Bank of Spain similarly enables cross-border payment services within the EEA. A single national authorization becomes an EU-wide operating license.

Q: What are the risks of consolidating stablecoin custody and payments with one provider?

Concentration risk is the main concern. A single provider handling both custody and payment execution means their outage, compliance breach, or contract terms directly dictate the fintech's own service continuity and unit economics. Mitigation requires negotiated portability of records, documented migration paths, and ideally a warm second custody relationship.

MK
Marina Koval
RiverCore Analyst · Dublin, Ireland
SHARE
// RELATED ARTICLES
HomeSolutionsWorkAboutContact
News06
Dublin, Ireland · EUGMT+1
LinkedIn
🇬🇧EN