European fintech is entering a phase in which the market is rewarding a convenient interface less and less, while asking awkward but increasingly grown-up questions more and more often: who exactly executes the payment, where the boundaries of responsibility lie, how the system works in a non-standard scenario, and what happens when a customer makes a mistake or falls victim to fraud. After the first wave of neobanks, where the main selling points were onboarding speed and app design, infrastructure has moved to the centre of attention. Not the version of it that people like to show on slides, but the one that reveals itself at night, at weekends, during spikes in suspicious transactions, and at the moment when a transfer can no longer be ‘reversed with a polite email to support’.
Blackcatcard is a useful lens through which to examine this shift precisely because it is neither a pure app story nor a pure back-end story. The infrastructure behind this fintech brand, and its public positioning, reflect the typical challenges many EMIs in Europe are facing today. Blackcatcard operates through Malta-based electronic money institution Papaya Ltd, which in August 2025 joined the group of European e-money institutions with direct access to SEPA, including both standard credit transfers (SCT) and instant credit transfers (SCT Inst). For industry specialists, this was not a marketing moment but a sign of maturity: fintech is ceasing to be merely a ‘customer’ of someone else’s banking rails and is taking on a greater share of operational and compliance responsibility.
When ‘instant’ means ‘no room for failure’
SEPA Instant (SCT Inst) is not simply about faster transfers. It is a complete restructuring of payment-processing logic. Money must move on a 24/7 basis, and all checks must take place in real time, before execution. Monitoring, anti-fraud controls and incident response cannot be postponed ‘until overnight’ or ‘until the next batch’.
In November 2025, payments consultant Sacha Cohen of Projective Group captured the essence of what is happening with striking precision in her analysis. ‘Participation in SEPA Instant, whether through direct integration with a clearing and settlement mechanism (CSM) or via a sponsor bank, requires a fundamental transformation of the technical and operational ecosystem,’ she wrote. In her view, systems must operate around the clock, while ‘unhappy flows’ such as screening failures, clearing rejections and anti-fraud breakdowns require predefined fallbacks, escalation procedures and 24/7 support. In the world of instant payments, any delay becomes unacceptable.
This formulation is useful precisely because it brings the discussion down to earth. Many fintechs present connection to SCT Inst as a technical tick-box. In practice, however, it marks the beginning of a long and costly effort to rebuild internal processes, from real-time monitoring to the auditability of every decision.
Direct access: fewer intermediaries, more discipline of one’s own
Papaya Ltd’s direct access to SEPA schemes in August was a step in exactly this direction. Instead of relying entirely on intermediary banks to process euro payments, the institution gained the ability to work with the rails more independently. For the end user, this may show up as more stable conditions, fewer unexpected blocks, and potentially a more predictable experience when making transfers.
It is worth clarifying that direct participation in SEPA schemes does not mean the absence of infrastructure layers: a participant chooses a clearing and settlement mechanism (CSM), submits routing identifiers, and reachability within the scheme is determined through EPC rules and registers. This reduces dependence on a sponsor bank as the ‘only door in’, but it also moves responsibility for 24/7 operations, monitoring and incident handling closer to the provider itself.
It is important, however, not to confuse independence with the absence of risk. Intermediary banks have traditionally acted as a kind of risk filter, taking some decisions on policies, monitoring and incident management. When these functions move partly inside the EMI, the demands placed on its own procedures, team and technical maturity rise sharply. Direct access does not remove regulatory requirements and does not turn an EMI into a bank. It simply shifts part of the responsibility closer to the product provider.
This is particularly visible against the regulatory backdrop of late 2025. Debate over the PSD3/PSR package in the Council of the EU and the European Parliament focused on payment fraud, transparency and preventive measures. Regulators are not offering romance. They are demanding built-in controls rather than external promises. In that environment, ‘direct access’ ceases to be a point of pride and becomes an additional burden on operational discipline.
Expert view: why ‘direct’ is not a triumph, but an obligation
At this point, it is important not to slip into a triumphalist tone. ‘Direct access’ is easy to sell as a victory. In professional circles, however, it is more often seen as a move into a more demanding class of obligations.
Cohen’s analysis effectively explains why: instant payments turn compliance and anti-fraud into a real-time conveyor belt. Sanctions screening, checks and scoring all have to be completed in seconds, not occasionally but constantly. And while some of these responsibilities could previously be softened architecturally through an intermediary, greater independence and direct participation move the pressure on to the provider itself. Put differently, ‘direct’ is not a medal. It is a workload.
To prevent this point from sounding purely academic, it is enough to look at the British context. In December 2025, UK Finance reminded the public that fraud accounts for a significant share of recorded crime in the country, and that banks are the final link in the chain that physically executes the payment. On that logic, much is decided not at the ‘last step’ but earlier: where social engineering begins, who is responsible for warnings, who is capable of stopping the flow without paralysing legitimate customers. This brings us back again to architecture: to the way checks are built and incidents are handled.
What Blackcatcard’s CTO says
In June 2025, Blackcatcard CTO Olegs Cernisevs set out the brand’s position with notable clarity in an interview with Naftemporiki: security is ‘built into’ operations, and the approach is oriented towards DORA and operational resilience. He spoke about risk indicators (KRIs), stress tests, real-time monitoring and standards such as ISO 27001. That is precisely the language now in demand: not ‘we will make things more convenient’, but ‘we will keep the system stable under pressure’.
This is an interesting choice. It reflects an understanding that, in the current environment, trust increasingly depends on how deeply control procedures and resilience mechanisms are embedded in the product. Compliance and anti-fraud are ceasing to be merely ‘external regulatory requirements’ and are becoming part of engineering design, with clear traceability of decisions and documented accountability.
At the same time, this is exactly where journalistic scepticism is useful. Claims about real-time monitoring and built-in security sound convincing in presentations. But the real test always comes in unpleasant scenarios: spikes in false positives, attempts at social engineering, failures in individual components, or unexpected requests from a regulator. As long as a system is running smoothly, the difference between advanced architecture and an ordinary fintech may be almost invisible to the user.
What changes, or does not change, for the customer
For the ordinary Blackcatcard account holder, direct access to SEPA rarely appears in the form of a bright new feature in the app. More often, it is felt indirectly through greater predictability in transfers, fewer situations in which a payment unexpectedly becomes ‘stuck’ because of the internal rules of a partner bank, and potentially clearer accountability when disputes arise.
Instant payments, however, also have a downside. The cost of error objectively rises. Funds leave in seconds, while social engineering and fraud attempts become more dangerous. That is why the quality of preventive controls, such as Verification of Payee (VoP) as an IBAN-name check, real-time scoring and behavioural analysis, together with the speed of incident response, become decisive. The user does not see ‘direct access’ as such, but may feel the difference in how predictably the service works and how transparently refusals or delays are explained.
Why this case deserves close attention
Blackcatcard is interesting not as a standalone success or failure, but as a typical example of a transitional moment in European fintech. In 2026, the market is rewarding those who can explain why their system will not break, and who will be accountable if it does, more than those who simply speak attractively about convenience. Papaya Ltd’s direct access to SEPA in August 2025 became exactly that kind of test: fewer critical external dependencies, but more discipline of its own.
The central question now is not how attractive the app looks. It is what remains when the app is closed: the processes, the rails and the willingness to take responsibility. Blackcatcard, like many other players, stands precisely on that boundary. How successfully it manages to cross it will be shown not by marketing, but by real-world operation under pressure, in the context of instant payments and strict regulatory expectations.