How Ovra is regulated
Ovra is a German technology company that provides payment infrastructure for AI agents. Ovra itself is not a bank, e-money institution, or payment institution — and does not need to be. Why? Ovra does not hold, move, or settle funds directly. Instead, Ovra orchestrates payments through licensed partners:| Role | Who | Regulated by |
|---|---|---|
| Card issuing | Wallester AS (Visa Principal Member) | Estonian Financial Supervision Authority (Finantsinspektsioon), EU-passported |
| Card network | Visa | National regulators + EU oversight |
| Funds custody | Licensed banking partner (SEPA IBAN) | Applicable EU banking regulator |
| Ovra | Technology platform (SaaS) | German trade law (GewO); GDPR/DSGVO |
Do I need a BaFin license to use Ovra?
No. You are using Ovra as a software service. The regulated activities (card issuing, fund custody, payment processing) are performed by Ovra’s licensed partners. You do not become a payment institution by using Ovra’s API — the same way you don’t become a bank by using a payment provider’s API. When would you need BaFin (or equivalent) licensing?- If you were issuing your own payment instruments
- If you were holding customer funds in your own accounts
- If you were providing payment services directly to end consumers
Ovra vs. crypto/stablecoin platforms
Some agentic payment solutions are built on blockchain rails and stablecoins. Ovra takes a fundamentally different approach:| Ovra | Crypto/Stablecoin platforms | |
|---|---|---|
| Payment rail | Visa network (fiat) | Blockchain (stablecoins like USDC) |
| Currency | EUR (fiat only) | Stablecoins, sometimes fiat bridge |
| Regulation | EU-regulated partners (PSD2, EMD2) | Varies; MiCA emerging, often unregulated |
| Merchant acceptance | Anywhere Visa is accepted (80M+ merchants) | Requires merchant crypto acceptance |
| Settlement | Standard Visa settlement (1-2 days) | Blockchain finality (seconds-minutes) |
| Geographic focus | EU-native, GDPR by design | Typically US-first or global/unregulated |
| Agent identity | Visa Network Tokens, scoped to agent | Wallet addresses, often pseudonymous |
| Consumer protection | EU consumer protection, chargeback rights | Limited, depends on platform |
| Data residency | EU data residency | Typically no guarantees |
Regulatory framework
PSD2 (Payment Services Directive 2)
Ovra’s card issuing partner operates under PSD2 as a licensed e-money institution. This means:- Strong Customer Authentication (SCA) where required by the issuer
- Transaction monitoring and fraud prevention at the network level
- Complaint handling and dispute resolution through established channels
- Deposit protection for e-money held by the licensed issuer
GDPR / DSGVO
Ovra is a German entity and processes all data under GDPR:- EU data residency — data stays in the EU
- Data minimization — agents never receive card credentials (zero-knowledge checkout)
- Right to deletion — full GDPR export, consent management, and deletion via API (
ovra_customerwithgdpr_export,gdpr_consent,gdpr_delete) - Data processing agreements available on request
AML / KYC
Anti-money-laundering and know-your-customer checks are performed by the licensed issuing partner during Go Live onboarding:- Individual or business identification
- Document verification
- Sanctions screening
- Ongoing transaction monitoring at the issuer level
sk_test_*) does not require KYC — you can build and test immediately.
Frequently asked questions
Is Ovra a bank or payment institution?
Is Ovra a bank or payment institution?
No. Ovra is a technology company (SaaS). Card issuing, fund custody, and payment processing are handled by licensed EU partners. Ovra provides the API, policy engine, and agent orchestration layer.
Do I need a BaFin license to integrate Ovra?
Do I need a BaFin license to integrate Ovra?
No. Using Ovra’s API does not make you a payment institution. The regulated activities are performed by Ovra’s licensed partners. This applies whether you are a startup, enterprise, or building an agent platform.
Where is my data stored?
Where is my data stored?
All data is stored in the EU. Ovra is a German company operating under GDPR/DSGVO. Card credentials (transitioning to Visa Network Tokens) are handled by the licensed issuing partner with EU data residency.
Is Ovra available outside the EU?
Is Ovra available outside the EU?
Ovra cards are virtual Visa cards accepted globally for online payments. The issuing infrastructure and data processing are EU-based. Teams outside the EU can use Ovra for EUR-denominated agent payments subject to onboarding requirements.
Why fiat and not crypto?
Why fiat and not crypto?
AI agents need to pay at real merchants — and 99% of online merchants accept Visa, not stablecoins. Fiat rails provide established consumer protection, regulatory clarity, and universal merchant acceptance. With Visa Network Tokens, we achieve the same security benefits (scoped credentials, cryptographic binding) that crypto proponents cite, but on rails that actually work everywhere.
What about PCI DSS?
What about PCI DSS?
Ovra’s zero-knowledge checkout model means card data never enters your system. PAN and CVV are handled server-side by Ovra and the licensed issuer. With the transition to Visa Network Tokens, even Ovra’s internal systems will not handle raw PANs. You do not need PCI DSS certification to use Ovra.
How does Ovra handle disputes and chargebacks?
How does Ovra handle disputes and chargebacks?
Disputes are managed through the standard Visa dispute process. You can file, track, and resolve disputes via the API or MCP (
ovra_dispute). Evidence attachment and resolution workflows are built in. See Disputes.What happens if Ovra shuts down?
What happens if Ovra shuts down?
Card issuing and fund custody are held by the licensed partner (Wallester), not by Ovra. Your funds and active cards would continue to be governed by the issuer’s license and EU consumer protection rules. Ovra provides data export capabilities via GDPR endpoints.