The details your compliance team will ask for.
Modena Payments OÜ is licensed, supervised, and operated under the same rules that apply to every Payment Institution in the European Union. Here's the reference sheet.
Licensing
Authorised to provide payment services across the European Economic Area.
- Legal entity
- Modena Payments OÜ
- Regulator
- Finantsinspektsioon (Estonia)
- License type
- Payment Institution under the Estonian Payment Institutions and E-money Institutions Act, aligned with PSD2 (EU 2015/2366).
- License number
- [License No: TBD]
- Passporting
- Services passported to all EEA member states under the freedom to provide services.
- Permitted services
- Execution of payment transactions, acquiring, money remittance, issuing of payment instruments, account information services (AIS) where applicable.
Funds safeguarding
Client funds are held separately from Modena's own funds, in line with PSD2.
Client money is held in segregated accounts at EU credit institutions. Under PSD2 Article 10 safeguarding, those funds are ring-fenced from Modena Payments OÜ's insolvency estate. Balances are reconciled daily and reported to the regulator.
- Safeguarding method
- Segregated client-money accounts (PSD2 Art. 10(1)(a)).
- Custodian bank(s)
- [Custodian bank list: TBD]
- Reconciliation
- Daily three-way reconciliation: ledger, core banking, custodian.
- Insolvency protection
- Segregated balances are not part of Modena's insolvency estate.
AML & KYC
Automated onboarding, ongoing monitoring, human review where needed.
We operate a risk-based AML programme aligned with the 5th and 6th EU Anti-Money-Laundering Directives and FATF guidance, calibrated to Estonian and EEA requirements.
KYC
Document + biometric verification, liveness, data checks across EU registries.
KYB
UBO identification down to 10%, company registry checks, adverse media screening.
Transaction monitoring
Rules + anomaly models. Escalations reviewed by our EU-based compliance team.
Sanctions & PEP
Real-time screening against EU, UN, OFAC and UK lists. Refreshed on every change.
SAR / STR filings
Filed with the Estonian FIU. Process audited annually.
Record keeping
Evidentiary records kept for the statutory period under Estonian law.
PSD2 & Strong Customer Authentication
Built-in SCA, dynamic linking, and exemption handling.
Card and account-based payment flows are authenticated under PSD2 Regulatory Technical Standards (EBA/RTS/2017/02) using 3-D Secure 2 with dynamic linking. We request exemptions (TRA, low-value, trusted beneficiary) where the risk profile supports it, with liability shifting as defined by the scheme rules.
3-D Secure 2
Frictionless + challenge flows. Issuer-side device binding.
Dynamic linking
Amount and beneficiary cryptographically bound to the auth code.
Exemption engine
Risk-scored per-transaction: TRA, low-value, recurring, corporate.
Mandate management
SEPA Direct Debit mandates stored, replayable, auditable.
Data protection
GDPR-aligned. EU data residency. Audit trail on every record.
- Data controller
- Modena Payments OÜ, Tallinn, Estonia
- Residency
- Personal data is stored and processed within the EU.
- Encryption at rest
- AES-256 for databases and object storage.
- Encryption in transit
- TLS 1.2+ on all public endpoints. Modern cipher suites only.
- Sub-processors
- Current list available on request — public sub-processor registry [TBD].
- DPO contact
- dpo@modenapay.com
- Data subject rights
- Access, rectification, erasure, portability. Responded to within 30 days.
Security
Defence in depth, reviewed by independent experts.
Penetration testing
Annual full-scope engagement by a CREST-accredited firm. Targeted tests on material changes. [Last test: TBD — publish on request]
Vulnerability management
CI-integrated SAST + dependency scanning. Critical issues patched within 24 hours.
Access control
SSO + hardware MFA for staff. Least-privilege by default. Reviewed quarterly.
Incident response
24/7 on-call. Customer notifications per PSD2 Art. 96 and GDPR Art. 33.
Backups & recovery
Encrypted backups, region-redundant. RPO ≤ 15 min, RTO ≤ 4 h on the platform tier.
Framework alignment
Controls mapped to ISO 27001 and SOC 2. [Certifications: in progress — status on request]
Regulatory & complaints contact
Reach out to us first — or to the regulator directly if needed.
Complaints
Write to complaints@modenapay.com with details and any reference numbers. We acknowledge within 2 business days and resolve within 15 business days, or 35 in exceptional cases, per EBA guidelines.
Need a compliance briefing?
We'll share our trust pack, sub-processor list, and jump on a call with your compliance officer.