Fraud liability
Fraud loss does not always land on the same party. The 2015 EMV liability shift in the United States moved counterfeit card-present losses to whichever party uses the less secure technology. When both sides are EMV-compliant and the chip is processed correctly, the issuer keeps the loss.
For card-not-present, 3-D Secure shifts liability. Checkout.com's liability matrix shows that an authenticated 3DS transaction puts fraud liability on the issuer, while an unauthenticated CNP transaction puts it on the merchant. Gross card fraud losses worldwide reached $33.41 billion in 2024 according to the Nilson Report, and a meaningful share of that lands on issuers even when they do everything the rulebook asks.
Infrastructure behind a card program
The duties above run on a stack. A working card program needs a card management system that holds the account and rules, an authorization switch that responds in milliseconds, a ledger that posts the money, a tokenization service for digital wallets, and certified connectivity into each scheme. Around that core sit fraud engines, dispute case management, statementing, and reporting.
Three paths exist for assembling that stack. The first is to build issuing bank infrastructure in-house, which a handful of large banks still do. The second is to rent issuing bank infrastructure from an issuer-processor like Marqeta or Galileo. The third is to access issuing bank infrastructure through a BIN sponsor that bundles regulated access with processor and program management services.
That choice shapes card program ownership and economics. Building in-house gives full card program ownership but eats years and tens of millions before first card. Renting from a processor preserves most card program ownership while shortening the launch to months. Going through a sponsor surrenders some card program ownership in exchange for speed and a smaller compliance perimeter.
Regulatory and compliance obligations
Every card issuer operates under a license. In the United States that's a state or national bank charter. In the EU and the UK it's an e-money license under the Electronic Money Regulations 2011 or the equivalent EU directive. On top of the license, the issuer holds principal membership with each scheme it operates under, which imposes its own capital and reporting requirements.
Layered onto that are technical and consumer rules. The headline ones include:
-
PCI DSS for the protection of cardholder data, which applies to issuers as well as acquirers under Visa Rule 0002228.
-
Data protection regimes like GDPR in Europe and state privacy laws in the United States.
-
Consumer protection rules such as Reg Z and the CARD Act for credit programs.
-
Anti-money-laundering reporting through SAR and CTR filings.
Compliance is continuous and audited. Internal audit, external auditors, scheme reviews, and regulator examinations all run on overlapping cycles, and findings carry remediation deadlines with real teeth. Treating compliance as a launch milestone instead of an operating function is how programs get suspended.
Choosing or becoming a card issuer
Most fintechs want to ship a card through a structure that avoids becoming a bank. The build-partner-sponsor decision comes down to how much regulatory weight you're willing to carry against how much card program ownership and margin you want to keep.
Becoming a directly licensed card issuer means applying for a banking or e-money license and joining the schemes as a principal member, with a compliance function that can survive an examination. The reward is full card program ownership and direct interchange economics, with less sponsor concentration risk. Working with a BIN sponsor compresses that timeline to months and removes the licensing burden. Addleshaw Goddard's breakdown of sponsorship arrangements explains that the BIN sponsor holds the issuing license and ultimate compliance responsibility while the program manager runs the customer-facing side.
The third path is a modern issuer-processor platform that pairs BIN sponsorship with API-driven issuing. It's the fastest route to a live card. The tradeoff is thinner interchange margins and less control over product behavior, with a real switching cost if you outgrow the partner. Galileo's own guide for fintechs notes that many fintechs eventually become their own program manager once scale justifies it.
Key takeaways and next steps
A card issuer is the licensed entity that gives someone a card, holds the account behind it, decides every authorization, funds settlement to the acquirer, and stands behind the cardholder when something breaks. Around the issuer, schemes set the rules for acquirers and processors that serve merchants and move messages; the issuer owns the customer and the money.
If you're evaluating a card program, the next decisions are concrete. Decide whether your business case justifies pursuing a license or whether a sponsor model fits better. Pick a processor whose product roadmap matches yours. Map every duty in this article to a named party in your contracts before you sign anything.
EGS builds resilient fintech infrastructure and issuing bank infrastructure for teams that launch card programs, with sponsor connectivity and the compliance tooling a card issuer needs to operate at scale. If you're sizing the build-versus-partner decision or stress-testing an existing program, reach out to our team for a working session.