The EBA’s report on white labelling: Key legal and compliance takeaways

Introduction

In October 2025, the European Banking Authority (EBA) published its Report on White Labelling (EBA/REP/2025/30), taking stock of how this model is used across the EU and identifying the key regulatory, supervisory and consumer protection risks that can arise. While the report does not propose any new binding rules, it sends a clear signal: white labelling arrangements are moving firmly onto supervisors’ radar and are likely to receive increased scrutiny in the coming years.

The report finds that 35% of banks surveyed in 2025 employed white-labelling arrangements, confirming that this is a widespread and growing business model in the EU. It encompasses a broadening range of services and products, including deposit accounts, buy-now-pay-later (BNPL) and other forms of credit, e-money and payment services, and is expected to be used increasingly in the crypto-asset sector.

This article explains what the EBA means by “white labelling”, draws out some of the key report findings, and highlights the practical implications that firms involved in, or considering, a white-labelling partnership should consider.

What is “white labelling”?

In the EBA’s terminology, white labelling refers to a business model in which a financial institution (the provider) enters into an agreement with another entity (the partner) to distribute and offer financial products and services under the partner’s brand only. The partner may or may not be a regulated financial institution.

For the purposes of the report, “financial institutions” are firms falling within the EBA’s sectoral mandates: credit institutions (banks), electronic money institutions, payment institutions, non-bank issuers of asset-referenced tokens and non-bank lenders.

The report identifies a number of typical and emerging white-labelling use cases, including:

• e-money and deposit accounts or cards offered under the brand of a partner (such as retail or software companies);

• acquiring, BNPL or other credit products embedded into e-commerce platforms, marketplaces or merchant journeys;

• account information services combined with API aggregation or data enrichment services; and

• the more recent emergence of so-called “stablecoins-as-a-service”, for example where a financial institution integrates blockchain-based units into its offering without issuing the units itself.

The EBA also clarifies what does not necessarily fall within white labelling. In particular, it distinguishes white labelling from the concept of Banking-as-a-Service (BaaS), defined by the Basel Committee on Financial Supervision as “the provision of banking services by banks through non-bank intermediaries (e.g. FinTechs, BigTechs and other firms) that serve as the interface to clients”. The EBA notes that not all BaaS models involve white labelling, especially where the banking provider’s brand is maintained. The report also excludes co-branded products (such as co-branded cards), since customers have visibility of the provider’s identity.

Overall, the EBA’s concept of white labelling appears to be closely tied to whether the provider’s brand is visible to the end customer, rather than solely the partner’s.

The report forms part of the EBA’s broader mandate to monitor market developments, innovation and changes in financial value chains. White labelling was identified as a priority topic due to its rapid growth, its cross-border dimension and the increasing involvement of non-financial partners in the distribution of regulated services.

The stated aim is not to prohibit or discourage white labelling, but to better understand its opportunities and risks and to support supervisory convergence among EU national competent authorities (NCAs).

Key challenges and risks identified by the EBA

1. Regulatory qualification (outsourcing, agency, reliance, other..)

One of the central supervisory challenges identified is the difficulty for the NCAs and firms with properly classifying white-labelling arrangements from a regulatory perspective. Depending on the specific setup, an arrangement may qualify as outsourcing, agency, reliance on customer due diligence performed by a regulated third party, or another form of third-party dependency. Divergences in regulatory treatment persist, whereby the same arrangement may be qualified differently from one Member State to another, especially in areas not fully harmonised under the EU law, and this gives rise to challenges for firms looking to scale their white labelling models across the EU.

From a legal and compliance perspective, this regulatory qualification has direct consequences for the obligations that apply to the provider and, in some cases, the partner. It also shapes the contractual arrangements, governance framework and compliance and risk management controls that must be put in place between the parties.

2. Governance and allocation of responsibilities

A recurring theme in the report is the risk arising from unclear or poorly documented allocation of roles and responsibilities between providers and partners. While the provider, in most cases, remains ultimately responsible for regulatory compliance, many operational and customer-facing tasks are often performed by the partner, including marketing, onboarding, customer support and complaints handling.

Depending on the nature and scope of tasks delegated to the partner, the white-labelling arrangement must be structured and managed in line with applicable EU and national frameworks, including:

• the Anti-Money Laundering Directive (EU) 2015/849 (AMLD), in particular for outsourcing or reliance on regulated third parties for CDD-related functions;

• the Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554, where ICT third-party services are used;

• the EBA guidelines on outsourcing arrangements (EBA/GL/2019/02) and the forthcoming revised guidelines on (non-ICT) third-party risk management; and

• other sector-specific conduct of business requirements, including those relating to marketing, disclosures and complaints handling.

From a supervisory perspective, unclear allocation of tasks can result in gaps in risk management, weak oversight of partners and inconsistent application of regulatory requirements across the value chain.

3. Consumer protection and transparency

Consumer protection concerns arise where customers are insufficiently informed about the existence of a white-labelling arrangement, the identity and licensing status of the provider, and who is responsible for complaints, redress and liability if something goes wrong.

The EBA links this lack of transparency to increased risks of mis-selling, confusion in complaints handling and delays in redress, particularly where the provider and partner are established in different Member States. The report also connects transparency gaps and weaknesses in fragmented AML processes with elevated fraud risk, including cases where consumers are deceived by fraudsters impersonating either the provider or the partner.

4. AML/CTF risk

AML/CTF is a central focus of the report. White labelling models may involve partners performing a varying range of customer due diligence checks and associated functions, while the provider retains ultimate responsibility for compliance. Where the partner is regulated, the provider may rely on CDD performed by the partner under specific conditions.

Whether outsourcing or reliance models are used, weak CDD processes at partner level, insufficient oversight by the provider and limited access to KYC information can materially increase ML/TF risk, particularly in cross-border arrangements. Notably, around half of Member States assess white-labelling models as presenting medium to high ML/TF risk.

5. Operational and reputational risks

The EBA also highlights operational and reputational risks stemming from the fragmentation of the value chain in white-labelling arrangements. Increased reliance on partners for customer-facing interfaces, processes or data flows can heighten the risk of service disruptions, control failures or incidents that are more difficult for providers to identify and remediate promptly.

These operational risks are closely linked to reputational risk. Failures or misconduct by either the provider or the partner may negatively affect the other, regardless of contractual allocation of responsibility, particularly where customers perceive the service as belonging to a single brand. In stressed scenarios, providers (or regulated partners) may also face “step-in” risk, where they feel compelled to support the other party to protect customers or preserve trust, even in the absence of a legal obligation.

What’s next for white labelling?

The report is not legally binding and does not amend EU legislation. The EBA expressly states that it has not identified a need for changes to EU law at this stage.

However, the report clearly signals heightened supervisory attention. White labelling has been integrated into the 2026 Union Strategic Supervisory Priorities (USSP), and the EBA plans further work focused on supervisory convergence, monitoring of emerging risks and improved consumer disclosures and awareness. Firms should therefore expect increased scrutiny of such arrangements from their NCAs. In practice, firms should be ready to explain how their white-labelling models are structured, how the risks identified in the report are mitigated and managed in practice, and whether their governance, oversight and control frameworks are commensurate with the complexity and risks of those arrangements.

Practical takeaways for firms

Licensed providers

For licensed providers, the EBA report reiterates a familiar principle: regulatory responsibility cannot be outsourced. Providers remain accountable, within the sphere of their regulated activities, for compliance with all applicable requirements, regardless of how much of the customer relationship is handled by the partner.

Firms operating or planning white-labelling models should, in particular:

• map the model clearly, documenting the end-to-end value chain and identifying who performs which tasks at each stage;

• assess regulatory qualification early, as outsourcing, agency, reliance or other  characterisation can materially affect regulatory and contractual requirements;

• define roles and responsibilities contractually, especially for onboarding, AML/CTF, complaints handling, data protection and customer communications;

• implement appropriate risk management controls, including up-to-date risk assessments, partner due diligence and ongoing oversight through monitoring and audits;

• review consumer communications and disclosures to ensure transparency around the provider’s identity and regulatory status and complaints pathways; and

• plan for exits and disruptions, including contingency planning and potential step-in scenarios.

White label partners

For partners, white labelling arrangements may trigger their own regulatory obligations, including under AML/CTF or conduct regimes, depending on how the arrangement is structured and classified. Even where partners are not directly regulated, their activities can expose them to regulatory, operational and reputational risk.

In light of the EBA report, partners may expect closer scrutiny from providers and, directly or indirectly, from supervisors. Similarly to providers, partners should be clear on the scope and nature of their regulatory and/or contractual responsibilities pertaining to their white labelled services.

How we can assist

For assistance in launching a white labelling programme or general assistance with white labelling arrangements, contact FM Legal for a confidential discussion.