Building a Card-Issuing Stack: BIN Sponsorship, KYC, Risk, Disputes

Launching a card program—whether co-brand credit cards, corporate expense cards, or neobank debit cards—requires navigating a complex stack of regulatory, technical, and operational requirements. Here's what you're actually building.

The Issuing Stack Layers

1. BIN Sponsorship

You can't issue cards without a Bank Identification Number (BIN). The first 6-8 digits of every card number identify the issuing institution and card type.

Option A: Become a Bank

Requirements: Banking charter, capital reserves (millions to billions), regulators
Timeline: Years
Reality: Not viable for most fintechs

Option B: BIN Sponsorship

Partner with a licensed bank that lends you their BIN. You build the product; they handle regulatory heavy-lifting.

Sponsor bank provides:

BIN range allocation
Card network membership (Visa/Mastercard licensee)
Regulatory coverage (Fed, OCC, FDIC oversight)
Settlement accounts

You provide:

KYC/AML program
Fraud monitoring
Customer support
Product experience

Economics: Sponsor takes 0.2%-0.5% of transaction volume plus fixed fees. Worth it to avoid regulatory maze.

2. Card Network Integration

Once you have a BIN, you must integrate with Visa or Mastercard.

Certification Requirements

Authorization engine: Respond to auth requests in <3 seconds
Fraud scoring: Real-time transaction risk assessment
Clearing and settlement: File-based batch processing
Dispute management: Chargeback handling per network rules

Network Fees

Annual licensing: $50K-$500K depending on volume
Per-transaction fees: $0.02-$0.05 for debit, higher for credit
Scheme fees: Network assessments (0.13%-0.15% of volume)

Integration Path

Most issuers use processor middleware (Marqeta, Stripe Issuing, Lithic) instead of direct network integration. Processors handle:

Network certification
Message format translation (ISO 8583)
Compliance with scheme mandates
PCI DSS scope reduction

Tradeoff: Processors add cost (~1% of volume) but save 18 months of integration work.

3. KYC & Onboarding

Before issuing a card, you must verify the cardholder's identity.

Individual KYC

Identity verification: Government ID + selfie match
Address proof: Utility bill, bank statement
Sanctions screening: OFAC, UN, EU lists
PEP checks: Politically Exposed Persons
Adverse media: Criminal records, fraud databases

Vendors: Jumio, Onfido, Persona, Plaid Identity

Business KYC (Corporate Cards)

Company verification: Corporate registry lookup
Beneficial ownership: Ultimate ownership structure (25%+ stake)
Business validation: Tax ID, operating address
Authorized representatives: Who can approve card issuance?

Challenges: Cross-border businesses, shell companies, frequent ownership changes

Continuous Monitoring

KYC isn't one-time. Regulators expect:

Periodic re-verification: Annual or risk-based
Transaction monitoring: AML pattern detection
Watchlist screening: Real-time updates as sanctions lists change

4. Authorization & Processing

When a cardholder swipes, your system must decide: approve or decline?

Authorization Flow

Network routes auth request to your processor
Processor forwards to your authorization server
You evaluate:
- Sufficient balance/credit limit?
- Card active (not lost/stolen/expired)?
- Transaction within velocity limits?
- Passes fraud scoring?
Respond: Approve (00), Decline (51-insufficient funds, 05-generic decline)

Response Time Budget

Total SLA: <3 seconds (network requirement)
Processor overhead: ~500ms
Your logic: Must execute in <2 seconds
Database lookups: Pre-cached in Redis, not live DB queries

Fraud Scoring

Must happen in-line during auth:

Velocity checks: Max 5 transactions/10min, $500/hour
Geography: Does card location match cardholder home?
Merchant category: Suspicious MCCs (wire transfer services, crypto exchanges)
Behavioral anomaly: ML model predicting fraud probability

Tradeoff: False positives hurt user experience, false negatives cost money.

5. Ledger & Accounting

Every transaction must be recorded with double-entry accounting.

Core Entities

Card account: Debit balance (prepaid) or credit balance (revolving)
Settlement account: Pooled funds held at sponsor bank
Fee accounts: Interchange revenue, network fees, processor costs

Transaction Posting

Authorization hold: Encumber available balance
Clearing: Final amount (may differ from auth)
Settlement: Funds transfer T+1 or T+2

Reconciliation

Daily reconciliation between:

Your ledger (what you think happened)
Processor statements (what actually cleared)
Network settlement files (what moved between banks)

Mismatches = money lost or compliance risk.

6. Dispute Management

Cardholders can dispute charges (chargebacks). You must handle them per network rules.

Chargeback Flow

Cardholder complains to you (not bank, you're the issuer)
You investigate: Does claim have merit?
If valid, initiate chargeback via network
Merchant responds with evidence (proof of delivery, signature)
You review merchant evidence
Decide: Accept merchant evidence (reverse chargeback) or proceed (debit merchant)

Timeframes

Cardholder has 60-120 days post-transaction to dispute
You have 30-45 days to respond to merchant evidence
Arbitration: If unresolved, network decides (costs $500+ per case)

Chargeback Abuse

Monitor for friendly fraud: Cardholders claiming "didn't receive" when they did.

7. Regulatory Compliance

Card issuing is heavily regulated. Key requirements:

US (Reg E - Debit, Reg Z - Credit)

Error resolution: Investigate disputes within 45 days
Billing statement rules: Must send monthly if activity
Liability limits: $50 max cardholder liability if reported promptly

AML (Anti-Money Laundering)

Suspicious Activity Reports (SARs): File within 30 days of detecting suspicious patterns
Transaction monitoring: Detect structuring, layering, integration
Record keeping: 5-year retention of KYC docs and transactions

PCI DSS

Cardholder data: Encrypted in transit and at rest
Access controls: Who can view full PAN?
Quarterly scans: External vulnerability assessments
Annual audits: Self-assessment or 3rd-party audit

GDPR / CCPA

Data rights: Cardholders can request data export or deletion
Breach notification: 72 hours to notify regulators if PII leaked

8. Operations

The unsexy stuff that keeps cards working:

Card production: Embossing, mailing, tracking delivery
PIN management: Secure PIN mailers or in-app PIN set
Customer support: Lost/stolen reporting, transaction disputes, balance inquiries
Fraud alerts: SMS/email notifications for suspicious activity
Card controls: Spending limits, merchant blocks, geographic restrictions

Build vs Buy

Build In-House

Pros: Full control, no processor margin, custom features Cons: 18-24 months to launch, $5M+ investment, regulatory burden

Use Card Issuing Platform (Marqeta, Stripe, Lithic, Adyen)

Pros: Launch in weeks, turnkey compliance, managed infrastructure Cons: ~1% platform fee, less customization, vendor lock-in

Middle ground: Use platform for v1, migrate critical components in-house as you scale.

Economics

Revenue:

Interchange: 0.3%-2% of transaction volume (higher for credit, lower for debit)
Annual fees: $50-$500/card (premium cards)
FX markup: 1%-3% on cross-border transactions

Costs:

BIN sponsor: 0.2%-0.5% of volume
Processor: 0.5%-1% of volume
Network fees: 0.15%-0.25% of volume
KYC: $1-$5 per verification
Card production: $2-$10 per card
Fraud losses: 0.1%-0.5% of volume (if controls are good)

Margins: Thin. You need scale (millions in volume) to be profitable.

Key Takeaways

BIN sponsorship is the entry ticket—partner with a bank unless you are one
KYC and compliance are non-negotiable, build robust programs from day one
Authorization must be fast (<2s) and smart (fraud prevention)
Disputes are operationally heavy, budget for support team
Build vs buy depends on timeline, budget, and control needs

Card issuing is complex but tractable. Most successful fintechs start with a platform (Stripe, Marqeta) and selectively bring components in-house as they scale.