1. Yapily is an open-banking infrastructure provider operating through regulated entities in the UK and Lithuania. It offers account data access (AISP) and payment initiation (PISP) via API, including “Pay by Bank” flows marketed to iGaming. R42 flags elevated third-party/agent risk given reported high-risk merchant exposure and allegations of offshore-casino routing via intermediaries.

2. R42 Risk Signal

• Traffic Light: 🟠 Medium

• Confidence Grade: Corroborated

• Rationale (evidence-led): Yapily’s regulated perimeter is verifiable via the Bank of Lithuania profile for Yapily Connect UAB and UK authorisation indicators for Yapily Connect Ltd (incl. FCA register dataset references). The risk signal is driven by (a) explicit marketing to gaming/gambling and (b) third-party “connect” positioning that enables customers to use Yapily’s regulated rails without holding their own AISP/PISP permissions—raising exposure to partner/agent controls and downstream merchant quality. Allegations of offshore casino deposit routing appear in FinTelegram reporting and remain unproven here; they increase monitoring priority rather than constituting a finding.

4. Key Data (compact table)

5. What the Company Does
   Yapily positions itself as open-banking infrastructure: it provides API connectivity to banks so clients can (a) retrieve account information (AISP use cases like verification and data access) and (b) initiate account-to-account payments (PISP / “Pay by Bank”).
   In the “rail stack,” Yapily sits at the regulated open-banking layer between a merchant/PSP application and end-user banks—enabling bank-transfer payments and account-data access without card schemes.

6. Regulatory & Legal Framework

• UK: Payment initiation and account information services generally fall under the UK Payment Services Regulations 2017 / FCA perimeter for payment institutions. Yapily Connect Ltd is referenced as FCA-regulated (FRN 827001) in multiple legal/partner contexts; FCA register dataset also lists it as an Authorised Payment Institution (authorised since 2019-08-19 per dataset row).

• Lithuania/EEA (PSD2): The Bank of Lithuania lists Yapily Connect UAB as a payment institution (LB002045) with activities including Payment initiation services and Account information services from 2020-12-23.

• Group perimeter clarity: Yapily states that Yapily Ltd is not a regulated entity and does not provide regulated services; regulated activity sits in the “Connect” entities.

• AML/CFT expectations (generic): For AISP/PISP providers: strong customer/merchant onboarding, transaction monitoring (where applicable), fraud controls, sanctions screening where relevant, and robust partner oversight—especially when “regulated rails” are offered to third parties as an embedded capability. (R42 analysis based on standard regulatory expectations; not a claim of Yapily’s specific controls.)

7. Ownership, Founders, Executives

• Founder / CEO (publicly described): Stefano Vaccino is described as Founder & CEO in industry profiles and company communications.

• UK entity directors (Yapily Connect Ltd): directors listed include Stefano Vaccino, Roland Marc Selmer, and Gerd Hoxha (per Companies House officers page).

• Control / PSC: Yapily Connect Ltd’s PSC is Yapily Ltd with ≥75% ownership/votes and director appointment rights.

• Verification gaps (what would confirm ultimate UBO): latest Yapily Ltd cap table / allotment filings + shareholder registers; any consolidated group accounts showing controlling shareholders; confirmation statement details beyond PSC “influence/control.” (R42 note: PSC ≠ full beneficial ownership proof.)

8. Corporate Structure & Related Entities

• Parent: Yapily Ltd (UK)

• Regulated UK subsidiary: Yapily Connect Ltd (UK) — PSC controlled by Yapily Ltd

• Regulated EEA subsidiary: Yapily Connect UAB (Lithuania) — Payment Institution licence LB002045

• Name/history signal: Bank of Lithuania board materials reference “Safe Connect, UAB” in 2020 licensing context, with Yapily Ltd as direct shareholder—suggesting a prior name/structure history relevant for due diligence trails.

• Entity opacity check: no obvious mismatch in regulator register vs corporate registry addresses in the reviewed sources; however, historic addresses exist in filings (normal), so onboarding teams should reconcile “contracting entity + address + licence” per contract and register snapshot.

9. Products, Integrations & Technical Footprint

• API-first integration: Yapily documentation describes registration/integration setup processes for connecting to institutions (banks).

• “Connect” proposition (embedded compliance risk): Marketing states customers can “start using open banking without the need to acquire AISP or PISP licenses,” which implies Yapily can act as the regulated layer powering third parties.

• Payment methods: Focus is open-banking A2A (“Pay by Bank”) rather than card acquiring; use cases include onboarding/KYC support via account verification/data access.

• Where enforcement/penalties could surface: (R42 analysis) scheme-like chargebacks are not the primary vector for A2A; instead, risk tends to surface via bank disputes, fraud claims, regulator scrutiny of agent oversight, or partner misrepresentation of licence coverage.

10. Merchant / Customer Footprint

• Gaming/Gambling: Yapily publishes a dedicated Gaming & Gambling open-banking page targeting iGaming operators and payment portfolios, plus blog content tailored to iGaming payments.

• Named partners / “powered by Yapily” signals (public):

  • Payhawk publicly describes a partnership with Yapily for open-banking expansion.

  • Super Payments terms state open-banking payments are powered by Yapily Connect Limited (FRN 827001) (and Modulr).

  • Quant Flow terms reference being registered as a PSD Agent of Yapily Connect Ltd (FRN 827001).

  • Atoa brochure references being powered by Yapily Connect Limited (FCA license #827001).

• High-risk vertical exposure: marketing focus on iGaming increases the need for enhanced merchant screening, geo/legality controls, and partner oversight (especially for intermediaries aggregating multiple merchants).

11. Complaints, Allegations, Enforcement, Litigation

Public complaints & signals
No consolidated public complaint pattern was identified in the sources reviewed for this listing. (This is not a determination that complaints do not exist.)

Whistleblower / insider reports (if any) — UNVERIFIED

• Allegation (as reported by FinTelegram): Yapily’s regulated rails are allegedly being used—via a “technical layer” intermediary (Contiant)—to facilitate deposits into offshore casino environments.

• What would prove/disprove it:

  • merchant/acquirer/PSP contracts identifying the exact regulated entity and responsibility split;

  • payment flow evidence (bank transfer references, creditor name/IBAN mapping, redirect URLs, TPP IDs, consent logs);

  • partner/agent agreements and onboarding KYC files for intermediaries;

  • regulator correspondence or audit findings.

• Key questions:

  1. Which entity contracted the intermediary (UK vs LT)?

  2. Was the intermediary acting as an agent, a technical service provider, or a merchant of record?

  3. What monitoring/termination triggers exist for high-risk merchant traffic?

Regulatory actions / warnings
No public regulator enforcement or warning specific to Yapily was found in the sources reviewed as of 2026-01-17. (Ongoing monitoring recommended.)

12. Risk Factors & Red Flags

Regulatory risk

• Cross-jurisdiction operations (UK + EEA) require tight entity/permission clarity and contracting discipline.

• “Use open banking without your own AISP/PISP licence” positioning can elevate supervisory expectations around outsourcing/agent governance.

AML/CFT risk

• iGaming exposure increases fraud/chargeback-adjacent disputes, velocity risk, and potential unlicensed gambling flows.

• Reliance on intermediaries (PSPs/aggregators) can blur merchant identity and beneficial ownership at the edge.

Consumer/merchant harm risk

• Disputes may be harder for consumers to interpret (bank transfer rails vs card chargeback norms) (R42 analysis).

• If offshore gambling is involved, consumer protection and legality can become jurisdiction-dependent.

Operational/continuity risk

• API dependency and bank connectivity changes can affect uptime/coverage (common open-banking risk; R42 analysis).

Transparency/ownership risk

• Yapily Connect Ltd is controlled by Yapily Ltd (clear), but ultimate beneficial ownership requires deeper cap-table review for a “regulator-grade” picture.

Reputational risk

• Published allegations linking rails to offshore casino deposits (unverified here) increase reputational exposure and may trigger enhanced due diligence by counterparties.

13. Merchant Due-Diligence Checklist (Actionable)
    If you are a merchant/PSP considering Yapily-powered rails:

Contracting & licensing

• Obtain the exact contracting entity (Yapily Connect Ltd vs Yapily Connect UAB) and match it to regulator register snapshots (FCA FRN / BoL LB code).

• Request written confirmation of permissions scope (AISP/PISP), territory coverage, and whether you are treated as a direct customer, agent, or sub-merchant.

Partner/agent governance (critical for aggregators)

• If you are an intermediary: request the policy for onboarding/monitoring your downstream merchants (KYB, UBO checks, geo/legality checks for gambling).

• Ask whether you will be listed/registered as an agent/AR where required; verify independently.

Flow-level evidence & testing

• Run a controlled pilot and capture: consent screens, redirect domains, creditor/IBAN details, descriptor strings, and settlement references.

• Validate how refunds are handled on A2A rails (reversal vs payout) and what happens on consumer disputes.

Risk & compliance documentation

• Request AML/CFT program overview relevant to your integration (monitoring, escalation SLAs, SAR/STR handling expectations, sanctions controls).

• For gambling: request written policy on licensed-only acceptance, restricted geos, and proof of merchant licence verification.

Data protection & security

• Confirm data flows (AIS data scope), retention, and incident response obligations for API keys and consent artifacts.

When to walk away

• अस्पष्ट contracting entity; refusal to evidence permissions; no downstream merchant controls for high-risk verticals; inability to explain who holds liability for illegal-activity screening.

14. Evidence Box (References)

• Bank of Lithuania: Yapily Connect UAB profile (licence LB002045; address; AIS/PIS activities).

• Companies House: Yapily Ltd overview + officers + PSC.

• Companies House: Yapily Connect Ltd overview + officers + PSC (Yapily Ltd control).

• FCA register dataset (download) indicating Yapily Connect Ltd as Authorised Payment Institution (FRN 827001).

• Yapily: Group/legal disclosures and regulated-entity statements.

• Yapily: Gaming/Gambling solution page + iGaming payments content.

• Bank of Lithuania board resolution note referencing Safe Connect UAB + shareholder context.

• FinTelegram prior coverage (allegations re: offshore casinos via intermediaries).

• Third-party “powered by/agent” references: Super Payments, Quant Flow, Atoa brochure, Payhawk partnership blog.

15. Update Log (Evergreen)

• 2023-02-12: initial profile

• 2026-01-17: profile update
  Next scheduled checks: FCA register/permissions snapshot; Bank of Lithuania register changes + passporting list; Companies House filings (accounts/confirmation statements/PSC); new public complaints or regulator notices; new evidence on alleged offshore-casino routing.

16. Call for Information (Whistle42)
    Do you have contracts, onboarding emails, partner/agent agreements, settlement statements, bank-transfer references (creditor/IBAN/descriptor), consent logs, or regulator correspondence involving Yapily (or intermediaries claiming to use Yapily rails) — especially in gaming/gambling or offshore-casino contexts? Submit evidence securely via Whistle42.com. We are particularly looking for documents that clarify who the contracting entity is, who the merchant of record is, and what monitoring/termination triggers existed.