Israel';s fintech and payments sector is governed by a structured, multi-authority licensing regime that international operators frequently underestimate. Any business seeking to provide payment services, issue electronic money, or operate a digital lending platform in Israel must obtain specific authorisation before commencing activity. Failure to do so exposes directors and shareholders to criminal liability under the Payment Services Law and the Supervision of Financial Services Law. This article covers the legal architecture of fintech regulation in Israel, the available licensing tracks, the compliance obligations attached to each licence, the most common pitfalls for foreign entrants, and the strategic choices operators face when structuring their Israeli market entry.
Israel';s regulatory framework for fintech and payments is not consolidated in a single statute. It is distributed across several interconnected laws, each administered by a different authority.
The primary legislation governing payment services is the Payment Services Law, 5779-2019 (Chok Sherut Tashlumim). This law defines the categories of regulated payment activity, establishes the licensing obligation, and sets out the supervisory powers of the Bank of Israel (Bank Yisrael). The Bank of Israel operates a dedicated Payments and Settlement Division that issues licences, conducts ongoing supervision, and publishes binding directives.
The Supervision of Financial Services (Regulated Financial Services) Law, 5776-2016 (Chok Pikuach al Sherut Finansi) governs credit providers, loan intermediaries, and certain digital lending platforms. The Capital Market, Insurance and Savings Authority (Rashut Shuk HaHon, HaBituach VeHahisachon - hereinafter CMISA) administers this law and issues the relevant licences.
The Prohibition on Money Laundering Law, 5760-2000 (Chok Isur Halbanat Hon) applies to all licensed payment service providers and financial service providers. Compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) obligations is a condition of every licence and is enforced jointly by the Bank of Israel, CMISA, and the Israel Money Laundering and Terror Financing Prohibition Authority (Reshut Isur Halbanat Hon - IMPA).
The Banking (Licensing) Law, 5741-1981 (Chok HaBankaut - Risha';yon) remains relevant for any fintech that seeks to accept deposits or issue credit at scale, as those activities require a full banking licence from the Bank of Israel, which is a materially higher regulatory threshold.
Crypto-asset service providers operate in a partially overlapping space. The Bank of Israel has issued guidance treating certain crypto activities as payment services where they involve fiat conversion or settlement. CMISA has asserted jurisdiction over crypto lending and investment products. The Israeli Securities Authority (Reshut Nirot Erech - ISA) has jurisdiction where crypto assets qualify as securities under the Securities Law, 5728-1968 (Chok Nirot Erech).
Understanding which authority governs which activity is the first critical step. A common mistake among international operators is to assume that a single licence covers all planned activities. In practice, a fintech offering payments, credit, and crypto exchange services may need authorisations from three separate regulators simultaneously.
The Payment Services Law, 5779-2019 establishes two principal licence categories for payment service providers: a full Payment Service Provider (PSP) licence and a limited Payment Initiation Service Provider (PISP) licence. Each carries distinct capital requirements, operational obligations, and supervisory intensity.
A full PSP licence is required for businesses that execute payment transactions, hold client funds, issue payment instruments, or operate payment accounts. The applicant must demonstrate minimum equity capital at a level set by Bank of Israel directives, which is calibrated to the volume and nature of the services provided. For most mid-sized operators, the required capital falls in the range of several hundred thousand to low millions of USD equivalent in Israeli shekels. The application process involves submission of a detailed business plan, AML/CTF compliance programme, IT security assessment, and fit-and-proper documentation for all directors and beneficial owners holding more than ten percent of the entity.
A PISP licence covers businesses that initiate payment orders on behalf of users from accounts held at other institutions, without holding client funds. The capital requirement is lower, and the compliance framework is somewhat lighter, but the applicant must still demonstrate robust cybersecurity controls and data protection measures consistent with the Protection of Privacy Law, 5741-1981 (Chok Haganat HaPratiyut).
The Bank of Israel has also introduced a regulatory sandbox framework under the Innovation Lab (Machon HaHidush) programme. This track allows early-stage fintechs to test regulated services under a temporary exemption for a defined period, typically up to twelve months, with a reduced compliance burden. The sandbox does not confer a permanent licence and does not permit full commercial scale-up without subsequent full licensing.
Processing timelines for a full PSP licence application typically run between six and twelve months from submission of a complete file. Incomplete applications reset the clock. A non-obvious risk is that the Bank of Israel may issue a conditional licence requiring the applicant to remediate specific deficiencies within a fixed period, often sixty to ninety days, before the licence becomes unconditional. Missing that remediation deadline can result in licence revocation.
To receive a checklist on PSP licence application requirements in Israel, send a request to info@vlolawfirm.com
Businesses providing credit, loan intermediation, or digital lending services in Israel must obtain a licence from CMISA under the Supervision of Financial Services (Regulated Financial Services) Law, 5776-2016. This law distinguishes between credit providers (Notnei Ashrai) and credit intermediaries (Metavchei Ashrai), and each category has its own licensing conditions.
A credit provider licence is required for any entity that extends loans to Israeli residents from its own balance sheet. The applicant must demonstrate adequate capital adequacy, a sound credit risk management framework, and a compliant AML/CTF programme. CMISA also requires disclosure of the ultimate beneficial ownership structure, which must be transparent and verifiable. Entities with complex offshore holding structures frequently encounter delays at this stage because CMISA requires apostilled or notarised documentation from each jurisdiction in the chain.
A credit intermediary licence covers platforms that match borrowers with lenders, including peer-to-peer lending platforms. The capital requirement is lower than for direct credit providers, but the platform must implement investor protection mechanisms and clear disclosure obligations to both sides of the transaction.
CMISA has issued binding circulars (Chozrim) that supplement the statutory framework. These circulars address topics including maximum interest rate caps under the Credit Data Law, 5776-2016 (Chok Nituach Ashrai), mandatory disclosure formats, and the treatment of distressed borrowers. International operators who rely solely on the statutory text without reviewing the current circulars frequently find themselves non-compliant on operational details.
The processing time for a CMISA credit provider licence is broadly comparable to the Bank of Israel PSP timeline, running six to twelve months for a complete application. CMISA has a formal completeness review stage: if the submitted file is incomplete, the authority issues a deficiency notice and the substantive review does not begin until all gaps are filled.
A practical scenario illustrates the stakes. A European buy-now-pay-later operator entering Israel may assume its existing EU licence provides a basis for equivalence recognition. Israel has no formal passporting arrangement with the EU. The operator must apply for a standalone Israeli licence, restructure its Israeli-facing product to comply with Israeli interest rate caps, and appoint a local compliance officer. Attempting to serve Israeli customers without a licence while the application is pending exposes the entity to enforcement action by CMISA, including fines and public disclosure of the violation.
Every licensed payment service provider and financial service provider in Israel operates under a detailed AML/CTF compliance framework derived from the Prohibition on Money Laundering Law, 5760-2000 and the subordinate regulations issued by IMPA and the relevant supervisory authority.
The core obligations include customer due diligence (CDD) at onboarding, enhanced due diligence (EDD) for higher-risk customers and transactions, ongoing transaction monitoring, suspicious transaction reporting (STR) to IMPA, and record retention for a minimum period of seven years under Regulation 11 of the Anti-Money Laundering Regulations (Financial Service Providers), 5777-2017.
Licensed operators must appoint a designated compliance officer (Memune Atidat Halbanat Hon) who is responsible for the AML/CTF programme and who reports directly to senior management. The compliance officer must meet fit-and-proper criteria and cannot simultaneously hold a role that creates a conflict of interest with the compliance function.
The Bank of Israel and CMISA conduct periodic on-site inspections and off-site reviews. Inspections focus on the quality of the CDD process, the effectiveness of transaction monitoring systems, and the timeliness of STR filings. A common finding in inspections of international operators is that the transaction monitoring system was calibrated for a different jurisdiction';s risk profile and generates either excessive false positives or, more critically, fails to flag patterns specific to the Israeli market.
IMPA has the authority to impose administrative sanctions for AML/CTF breaches independently of the licensing authority. This means a fintech can face parallel enforcement proceedings from IMPA and from the Bank of Israel or CMISA simultaneously. The combined financial exposure from such parallel proceedings can reach the low millions of USD, in addition to reputational damage and potential licence suspension.
Many underappreciate the obligation to screen against Israeli-specific sanctions and designated lists maintained by the National Bureau for Counter Terror Financing (Lishkat HaMaavak BeMimun Terror), which operates alongside the international FATF-aligned lists. Screening only against OFAC or EU lists is insufficient for Israeli regulatory compliance.
To receive a checklist on AML/CTF compliance programme requirements for fintech operators in Israel, send a request to info@vlolawfirm.com
Israel does not yet have a comprehensive standalone crypto-asset regulatory law equivalent to the EU';s MiCA framework. Regulation of crypto-asset service providers (CASPs) is currently addressed through a combination of existing financial services laws, Bank of Israel guidance, ISA positions, and IMPA directives.
The Bank of Israel has taken the position, articulated in its published guidance on virtual assets, that entities providing exchange, transfer, or custody services involving virtual assets that are used as a means of payment are subject to the Payment Services Law, 5779-2019 and must obtain a PSP licence or operate under an applicable exemption. This position has significant practical consequences: a crypto exchange that processes fiat-to-crypto conversions for Israeli customers is likely conducting regulated payment activity.
The ISA has issued a position paper classifying certain crypto tokens as securities under the Securities Law, 5728-1968. Where a token constitutes a security, the issuer and any platform facilitating its trading must comply with prospectus requirements, trading platform licensing obligations, and ongoing disclosure rules. The ISA has taken enforcement action against unregistered crypto trading platforms, resulting in injunctions and financial penalties.
IMPA has issued specific AML/CTF directives for virtual asset service providers (VASPs), aligned with FATF Recommendation 15. These directives require VASPs to implement the travel rule for transfers above a threshold equivalent to approximately 1,000 USD, maintain records of originator and beneficiary information, and apply enhanced due diligence to transactions involving unhosted wallets.
A non-obvious risk for international crypto operators is the banking access problem. Israeli commercial banks have historically been reluctant to open accounts for crypto businesses, citing AML/CTF risk concerns. Without a local bank account, a licensed CASP faces severe operational constraints. Resolving this requires early engagement with banks, supported by a robust compliance programme and, in some cases, a formal opinion from the Bank of Israel confirming the operator';s licensed status.
The regulatory framework for crypto in Israel is actively evolving. The Ministry of Finance and the Bank of Israel have published consultation documents proposing a more structured CASP licensing regime. Operators entering the market now should build their compliance architecture to accommodate tighter requirements that are likely to be enacted within the next legislative cycle.
Three practical scenarios illustrate the range of situations international fintech operators encounter in Israel.
Scenario one: European PSP seeking Israeli market entry. A mid-sized European payment institution with an EU licence wants to offer payment services to Israeli merchants. It has no Israeli entity. The operator must incorporate an Israeli company, apply for a PSP licence from the Bank of Israel, appoint local management, and establish a compliant AML/CTF programme. The timeline from incorporation to licence grant is realistically twelve to eighteen months. Legal and compliance setup costs typically start from the low tens of thousands of USD, with ongoing annual compliance costs in a similar range. The business case must account for this runway before revenue generation begins.
Scenario two: US-based digital lender targeting Israeli consumers. A US fintech offering consumer credit products wants to expand to Israel through a digital platform. It must obtain a credit provider licence from CMISA, comply with Israeli interest rate caps under the Credit Data Law, 5776-2016, and integrate with the Israeli credit data bureau (Lishkat HaAshrai). The interest rate cap regime in Israel is more restrictive than in many US states, which may require product redesign. A common mistake is to launch a marketing campaign before the licence is granted, which constitutes unlicensed financial service provision and triggers CMISA enforcement.
Scenario three: Crypto exchange seeking to serve Israeli retail customers. A crypto exchange incorporated in a third country wants to onboard Israeli retail users. It must assess whether its activities constitute regulated payment services under the Payment Services Law, 5779-2019, whether any tokens it lists qualify as securities under the Securities Law, 5728-1968, and whether it must register as a VASP with IMPA. The operator faces a multi-regulator engagement process. Attempting to serve Israeli customers through a foreign entity without any Israeli regulatory engagement is the highest-risk approach and has resulted in enforcement actions in comparable cases.
The strategic choice between establishing a fully licensed Israeli subsidiary and operating through a cross-border model depends on the volume of Israeli business, the nature of the services, and the operator';s risk appetite. For operators with significant Israeli revenue, a licensed subsidiary is the only sustainable path. For operators with marginal Israeli exposure, a careful legal analysis of whether Israeli regulatory jurisdiction is triggered may support a different approach - but that analysis must be conducted by counsel with specific knowledge of Israeli financial services law, not extrapolated from other jurisdictions.
The cost of non-specialist mistakes in this jurisdiction is high. Enforcement actions by the Bank of Israel, CMISA, or IMPA are publicly disclosed, which damages commercial relationships with Israeli banking partners and institutional clients. Directors of unlicensed entities face personal criminal liability under Section 36 of the Payment Services Law, 5779-2019, which provides for imprisonment of up to two years in addition to financial penalties.
We can help build a strategy for market entry, licensing, and compliance structuring in Israel. Contact info@vlolawfirm.com to discuss your specific situation.
What is the most significant practical risk for a foreign fintech entering the Israeli market without local legal counsel?
The most significant risk is misidentifying which regulatory regime applies to the planned activity. Israel';s fintech regulation is distributed across multiple laws and authorities, and the boundaries between them are not always obvious from the statutory text alone. An operator that obtains a PSP licence from the Bank of Israel but fails to recognise that its credit component also requires a CMISA licence will find itself in breach of the Supervision of Financial Services Law from day one of operations. This triggers enforcement exposure from a second regulator and may require a costly product redesign mid-launch. Early engagement with counsel who understands the multi-authority architecture is the most effective risk mitigation.
How long does the licensing process take, and what happens if the operator starts serving Israeli customers before the licence is granted?
A complete application for a PSP licence or a credit provider licence typically takes six to twelve months from submission to decision, assuming no material deficiencies. If the application file is incomplete, the substantive review does not begin, and the timeline extends accordingly. Serving Israeli customers before a licence is granted constitutes unlicensed regulated activity. The Bank of Israel and CMISA have the authority to issue cease-and-desist orders, impose administrative fines, and refer cases for criminal prosecution. The reputational consequence of a public enforcement action can also close off banking relationships in Israel, which are already difficult to establish for fintech operators.
When should an operator choose the regulatory sandbox over a full licence application?
The Bank of Israel';s Innovation Lab sandbox is appropriate for early-stage operators that want to test a product concept with a limited user base before committing to the full licensing process. It is not a substitute for a full licence if the operator intends to scale commercially. The sandbox period is time-limited, typically up to twelve months, and the operator must transition to a full licence to continue operating at the end of the sandbox period. Operators that use the sandbox strategically - to refine their compliance programme, demonstrate operational capability to the Bank of Israel, and build a track record - often find that the subsequent full licence application proceeds more smoothly. Operators that treat the sandbox as a way to delay compliance investment typically face a more difficult transition.
Israel';s fintech and payments regulatory framework is sophisticated, multi-layered, and actively enforced. The Payment Services Law, the Supervision of Financial Services Law, and the AML/CTF regime collectively create a compliance architecture that rewards early, thorough preparation and penalises shortcuts. International operators that invest in proper legal structuring before market entry avoid the enforcement exposure, banking access problems, and reputational risks that have affected less-prepared entrants. The evolving crypto regulatory framework adds a further dimension that requires ongoing monitoring as new legislation develops.
Our law firm VLO Law Firms has experience supporting clients in Israel on fintech regulation, payments licensing, and financial services compliance matters. We can assist with licence application preparation, multi-regulator engagement, AML/CTF programme design, and ongoing compliance support. To receive a consultation, contact: info@vlolawfirm.com
To receive a checklist on fintech and payments licensing strategy in Israel, send a request to info@vlolawfirm.com