vebbopay.com - programmable money

VebboPay, operated by Cibeeo Inc SRL, is committed to full compliance with all applicable European Union and national regulatory frameworks governing payment services, artificial intelligence, digital operational resilience, and consumer protection. This page provides a comprehensive overview of our regulatory posture and the measures we undertake to meet our obligations as an autonomous financial agentic AI payments and processor platform operating within the European Economic Area (EEA).

1. PSD2 — Payment Services Directive 2

As a provider of payment initiation and account information services within the EEA, VebboPay operates in accordance with Directive (EU) 2015/2366 (PSD2) and its transpositions into national law.

1.1 Licensing Status

Cibeeo Inc SRL holds the necessary authorisation to provide payment services in accordance with PSD2 requirements. Our licensing status is maintained with the relevant national competent authority, and we operate under the passporting regime where applicable to serve customers across EEA member states. All licensing documentation is available upon request to regulatory authorities.

1.2 Strong Customer Authentication (SCA)

VebboPay implements Strong Customer Authentication as required under Articles 97 and 98 of PSD2 and the accompanying Regulatory Technical Standards (RTS) on SCA and Common and Secure Communication. Our SCA implementation includes:

Two-factor authentication: All payment transactions and sensitive account actions require authentication using at least two of the three factors — knowledge (password or PIN), possession (device or token), and inherence (biometric verification).
Dynamic linking: For remote electronic payment transactions, authentication codes are dynamically linked to the specific amount and payee, ensuring that any modification to the transaction parameters invalidates the authentication.
Transaction risk analysis: We employ real-time transaction risk analysis in accordance with the exemptions framework outlined in the RTS, applying exemptions only where risk thresholds are demonstrably met.
Session timeouts: Authenticated sessions are subject to strict timeout policies to mitigate the risk of unauthorised access.

1.3 Open Banking Compliance

VebboPay supports open banking principles by providing and consuming APIs that comply with PSD2 access-to-account requirements. We maintain dedicated interfaces for third-party providers (TPPs) and ensure that these interfaces offer the same availability, performance, and security as our customer-facing interfaces. Our APIs conform to recognised open banking standards and are documented in accordance with regulatory expectations.

1.4 Refund Procedures

In compliance with PSD2 Articles 73–77, VebboPay provides clear and accessible refund mechanisms for unauthorised transactions. Users who identify an unauthorised or incorrectly executed payment transaction are entitled to a refund, provided the claim is made without undue delay and no later than 13 months after the debit date. We process refund requests promptly and, where required, provide immediate provisional credit to the payer's account while investigating the claim.

1.5 Consumer Protections

VebboPay adheres to all PSD2 consumer protection requirements, including:

Transparent and complete pre-contractual and contractual information about payment services, fees, and exchange rates.
Clear notification of all payment transactions, including amounts, fees, and reference information.
Liability limitations for unauthorised transactions, capping user liability at €50 for transactions occurring before notification of a lost, stolen, or misappropriated payment instrument.
Prohibition of surcharges on consumer payment instruments for which interchange fees are regulated under Regulation (EU) 2015/751.

1.6 PSD3 Preparation

VebboPay is actively monitoring and preparing for the forthcoming Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR). Our compliance team has initiated a gap analysis to assess the impact of proposed changes, including enhanced fraud prevention requirements, expanded scope of open banking obligations, improvements to the authorisation framework, and the introduction of a single EU-wide licensing regime. We are committed to ensuring a seamless transition as PSD3 enters into force.

2. EU AI Act — Regulation (EU) 2024/1689

The EU AI Act establishes a comprehensive regulatory framework for artificial intelligence systems. As an autonomous financial agentic AI platform, VebboPay takes its obligations under this regulation with the utmost seriousness.

2.1 Classification as a High-Risk AI System

VebboPay's AI-driven payment agents and decisioning systems fall within the scope of Annex III of the EU AI Act as AI systems used in the area of access to and enjoyment of essential private services, including financial services. Specifically, our AI systems are classified as high-risk because they are used to evaluate creditworthiness, assess risk, and make or assist in making decisions that materially affect natural persons' access to financial services and products.

2.2 Conformity Assessment

As a provider and deployer of high-risk AI systems, Cibeeo Inc SRL undertakes conformity assessment procedures in accordance with Article 43 of the EU AI Act. This includes:

Internal quality management system reviews covering AI system design, development, and deployment processes.
Technical documentation prepared in accordance with Annex IV, detailing system architecture, training data, evaluation methodologies, and performance metrics.
Registration of our high-risk AI systems in the EU database for high-risk AI systems as required under Article 71.
Declaration of conformity for each high-risk AI system we deploy.

2.3 Human Oversight Mechanisms

In compliance with Article 14, VebboPay has implemented robust human oversight mechanisms to ensure that AI agent actions can be monitored, intervened upon, and overridden by authorised human operators. These mechanisms include:

Real-time dashboards providing complete visibility into AI agent decision-making processes and transaction execution.
Configurable escalation thresholds that automatically route decisions above specified risk or value levels to human reviewers.
Kill-switch functionality enabling immediate suspension of any AI agent's operations.
Mandatory human approval for transactions exceeding user-defined limits or flagged by our risk management system.
Comprehensive audit trails recording all AI agent decisions and the rationale behind them.

2.4 Transparency Obligations

VebboPay meets its transparency obligations under Article 13 by:

Clearly informing all users that they are interacting with an AI system when engaging with VebboPay's autonomous agents.
Providing accessible documentation explaining how AI agents make payment decisions, within the bounds of protecting proprietary algorithms and security measures.
Disclosing to users the capabilities, limitations, and intended purpose of each AI agent functionality.
Enabling users to interpret and appropriately use the outputs of our AI systems.

2.5 Risk Management System

VebboPay operates a continuous risk management system in accordance with Article 9, which encompasses:

Identification and analysis of known and reasonably foreseeable risks associated with each AI system.
Estimation and evaluation of risks arising from intended use and reasonably foreseeable misuse.
Adoption of appropriate and targeted risk management measures, including design choices, technical safeguards, and information and training provisions.
Testing and validation procedures to ensure that risks are effectively mitigated, including pre-deployment testing and ongoing monitoring.

2.6 Technical Documentation

We maintain comprehensive technical documentation for all high-risk AI systems as required by Article 11 and Annex IV. This documentation includes detailed descriptions of the AI system's intended purpose, design specifications, development methodology, training and validation data, performance metrics, and any known limitations. Documentation is kept up to date throughout the lifecycle of each AI system.

2.7 Post-Market Monitoring

In accordance with Article 72, VebboPay has established a post-market monitoring system proportionate to the nature and risks of our AI systems. This system collects, documents, and analyses relevant data on the performance of our AI systems throughout their lifecycle, enabling us to ensure continued compliance with the requirements of the EU AI Act and to identify potential risks promptly.

2.8 Compliance Timeline

VebboPay is aligned with the phased implementation timeline of the EU AI Act. We are preparing for full compliance with the high-risk AI system requirements by August 2026, when the relevant provisions enter into application. Our compliance roadmap includes completing all conformity assessments, finalising technical documentation, and ensuring all human oversight and risk management systems are fully operational before this deadline.

3. DORA — Digital Operational Resilience Act

Regulation (EU) 2022/2554 (DORA) establishes uniform requirements for the security of network and information systems of financial entities. As a payment services provider, VebboPay falls within the scope of DORA and has implemented measures to meet its requirements.

3.1 ICT Risk Management Framework

VebboPay has established a comprehensive ICT risk management framework in accordance with Articles 5–16 of DORA. This framework includes:

A governance structure with clear roles and responsibilities for ICT risk management, with ultimate accountability at the management body level.
Identification and classification of all ICT assets, systems, and dependencies supporting critical and important functions.
Continuous monitoring and detection of anomalous activities and potential ICT-related incidents.
Implementation of protection and prevention measures, including access controls, encryption, network segmentation, and patch management.
Business continuity and disaster recovery plans ensuring the resilience of critical services.
Regular review and updating of the ICT risk management framework to address evolving threats.

3.2 ICT-Related Incident Reporting

VebboPay has implemented incident classification, management, and reporting procedures in compliance with Articles 17–23 of DORA. Major ICT-related incidents are reported to the relevant competent authority using standardised templates and within the prescribed timeframes, including initial notification, intermediate reports, and final reports. We maintain detailed records of all ICT-related incidents, including root cause analyses and remediation actions.

3.3 Digital Operational Resilience Testing

In accordance with Articles 24–27, VebboPay conducts regular digital operational resilience testing, including:

Vulnerability assessments and network security scans performed at least annually.
Scenario-based testing and tabletop exercises simulating various cyber threat scenarios.
Penetration testing conducted by qualified independent parties.
Threat-led penetration testing (TLPT) as required for entities meeting the relevant thresholds.
Source code reviews and performance testing of critical systems.

3.4 Third-Party ICT Service Provider Oversight

VebboPay maintains a register of all contractual arrangements with third-party ICT service providers as required under Article 28. Our third-party risk management programme includes due diligence assessments, contractual provisions ensuring appropriate security standards and audit rights, ongoing monitoring of service provider performance, and exit strategies to ensure continuity of critical functions in the event of service disruption or termination.

3.5 Cyber Threat Intelligence

VebboPay participates in voluntary cyber threat intelligence sharing arrangements in accordance with Article 45 of DORA. We exchange anonymised threat indicators, tactics, techniques, and procedures (TTPs) with trusted counterparts to enhance the collective cyber resilience of the financial sector, while ensuring that all sharing complies with data protection requirements and competitive sensitivity considerations.

4. MiCA — Markets in Crypto-Assets Regulation

Regulation (EU) 2023/1114 (MiCA) establishes a regulatory framework for crypto-assets and crypto-asset service providers within the EU.

4.1 Applicability Statement

VebboPay's core services are focused on fiat currency payment processing, AI-driven financial agent management, and traditional payment services. As of the date of this document, VebboPay does not offer crypto-asset services, issue crypto-assets, or operate as a crypto-asset service provider (CASP) within the meaning of MiCA.

Should VebboPay elect to introduce crypto-asset functionality in the future — including acceptance, exchange, or custody of crypto-assets — we will obtain the requisite MiCA authorisation from the appropriate national competent authority, implement all applicable prudential and conduct-of-business requirements, and update this regulatory disclosure accordingly. Users will be notified of any material changes to our service offering and regulatory status.

5. AMLD5 / AMLD6 — Anti-Money Laundering Directives

VebboPay is committed to the prevention, detection, and reporting of money laundering and terrorist financing in compliance with Directive (EU) 2018/843 (AMLD5), Directive (EU) 2018/1673 (AMLD6), and applicable national transpositions.

5.1 AML/CFT Compliance Framework

Our anti-money laundering and counter-terrorist financing (AML/CFT) compliance framework includes:

Customer Due Diligence (CDD): Risk-based identification and verification of all customers at onboarding and on an ongoing basis, including simplified due diligence (SDD) for lower-risk relationships and enhanced due diligence (EDD) for higher-risk customers, politically exposed persons (PEPs), and customers from high-risk jurisdictions.
Transaction Monitoring: Automated and manual monitoring of all transactions for suspicious patterns, unusual activity, and indicators of money laundering or terrorist financing, including AI-enhanced anomaly detection.
Suspicious Activity Reporting (SAR): Procedures for timely filing of suspicious activity reports with the relevant Financial Intelligence Unit (FIU) in accordance with national requirements.
Record Keeping: Retention of all CDD documentation, transaction records, and SAR filings for the legally required period of at least five years following the end of the business relationship or the date of the transaction.
Staff Training: Regular AML/CFT training programmes for all employees, with enhanced training for staff in compliance-sensitive roles.
Independent Audit: Periodic independent audits of the AML/CFT programme to assess its adequacy and effectiveness.
Appointed MLRO: Designation of a Money Laundering Reporting Officer (MLRO) with sufficient authority, resources, and access to relevant information to fulfil their responsibilities effectively.

5.2 AMLD6 Predicate Offences

VebboPay's compliance programme addresses the expanded catalogue of predicate offences introduced by AMLD6, including cybercrime, environmental crimes, and tax crimes. Our monitoring systems are calibrated to detect patterns indicative of laundering proceeds derived from these expanded categories of criminal activity. We also recognise the extended criminal liability provisions under AMLD6, including aiding, abetting, inciting, and attempting money laundering, and ensure our controls are designed to prevent any facilitation of such conduct.

6. ePrivacy Regulation

VebboPay is committed to protecting the confidentiality and privacy of electronic communications in accordance with existing ePrivacy Directive 2002/58/EC (as amended) and in anticipation of the forthcoming ePrivacy Regulation.

6.1 Electronic Communications Privacy

Our commitments in this area include:

Communication Confidentiality: All electronic communications processed through VebboPay's systems, including transaction notifications, authentication messages, and agent communications, are treated as confidential and protected by appropriate technical and organisational measures.
Cookie and Tracking Compliance: VebboPay obtains valid, informed consent before placing non-essential cookies or employing tracking technologies on users' devices. Our cookie management platform provides granular control, enabling users to accept, reject, or customise their cookie preferences at any time. For further details, see our Cookie Policy.
Direct Marketing: We obtain prior opt-in consent before sending any direct marketing communications via electronic channels. Users may withdraw their consent at any time through their account settings or by using the unsubscribe mechanism provided in each marketing communication.
Metadata Protection: We minimise the collection and processing of electronic communications metadata and ensure that any processing is lawful, proportionate, and limited to what is strictly necessary for the provision of our services or compliance with legal obligations.

7. Consumer Rights Directive

VebboPay complies with Directive 2011/83/EU (Consumer Rights Directive), as amended by Directive (EU) 2019/2161 (Omnibus Directive), to the extent applicable to our financial services.

7.1 Distance Selling Requirements

As VebboPay's services are offered remotely, we comply with the distance selling provisions by:

Providing comprehensive pre-contractual information to consumers before they are bound by a contract, including the identity of the trader, main characteristics of the services, total prices, and the right of withdrawal where applicable.
Delivering contractual terms in a durable medium that consumers can store and reproduce.
Ensuring that our order processes clearly indicate the obligation to pay, with explicit acknowledgment required before any payment commitment.

7.2 Cooling-Off Period

Where the right of withdrawal applies to VebboPay's services, consumers are afforded a 14-day cooling-off period from the date of contract conclusion, during which they may withdraw without providing any reason and without incurring any costs beyond those expressly permitted by law. We note that certain financial services may be exempt from the right of withdrawal in accordance with applicable law, particularly where the service has been fully performed with the consumer's prior express consent and acknowledgment that the right of withdrawal is lost upon full performance.

7.3 Transparency and Fairness

In accordance with the Omnibus Directive amendments, VebboPay ensures transparency in its pricing, avoids unfair commercial practices, and provides consumers with clear information about personalisation of prices where applicable. We do not employ dark patterns or manipulative design techniques in our user interfaces.

8. Regulatory Contact and Further Information

Cibeeo Inc SRL takes its regulatory obligations seriously and welcomes inquiries from regulators, supervisory authorities, and stakeholders. For regulatory inquiries, please contact:

Compliance Department: compliance@vebbopay.com
Data Protection Officer: dpo@vebbopay.com
General Legal Inquiries: legal@vebbopay.com

This regulatory compliance overview is subject to periodic review and will be updated to reflect changes in applicable legislation, our licensing status, and our operational practices. Users are encouraged to review this page regularly for the most current information.