Reverse Solicitation Is Not One Rule: MiFID II, MiCA and PSD2 Compared

A common assumption among non-EU fintechs is that, provided they do not actively solicit EU customers, they can keep serving those customers without an EU licence. It is appealing and, depending on which regulation applies, it is either mostly wrong, narrowly correct, or essentially unavailable.

Reverse solicitation is not a single doctrine. It appears in different forms across the three EU regulations most relevant to fintech: MiFID II for investment services, MiCA for crypto-asset services, and PSD2 for payments. The wording is similar enough across the three to suggest the rules are the same. They are not.

This article walks through how each regime treats the exemption, where they agree, and where the differences are wide enough to matter in practice.

What regulators are actually worried about

“Reverse solicitation” means a client in the EU contacts a non-EU firm first, asks for a specific service, and receives it without the firm having done anything to provoke that contact. The firm does not need to be authorised in the EU for that one interaction.

Regulators dislike this for a simple reason: widen the definition slightly, and you have an authorisation-free route into the EU market. Both the statutory language and the guidance push the other way, the exemption is narrower than the industry would like, and is tightening.

MiFID II: the original “own exclusive initiative”

Reverse solicitation’s modern legal form begins with Article 42 of MiFID II. Where a client “established or situated in the Union initiates at its own exclusive initiative” the provision of an investment service or activity by a third-country firm, the Article 39 authorisation requirement does not apply. Recital 111 adds that the exemption cannot be relied on by a firm that solicits clients or potential clients in the Union or promotes or advertises investment services or activities together with ancillary services in the Union.

Article 42 also contains a forward-looking guardrail: the exemption does not allow the third-country firm to market “new categories of investment products or investment services” to the client otherwise than through the regime. One reverse-solicited transaction does not unlock a product shelf.

What firms often get wrong under MiFID II

Marketing is not the only thing that counts as solicitation. Each of the following can be deemed as problematic in practice: EU-targeted SEO, press releases, face-to-face meetings, country-code landing pages, referral arrangements with EU-regulated introducers, premium trading conditions advertised to EU retail audiences, and influencer content with geo-targeted reach.

MiCA: MiFID II’s framework, with more restrictions

MiCA uses MiFID II’s conceptual framework and adds several further restrictions. Article 61 of MiCA provides the reverse solicitation exemption for third-country crypto-asset service providers, and ESMA’s Guidelines on reverse solicitation under MiCA (Ref. ESMA35-1872330276-2030, published 26 February 2025) set out how narrow the carve-out is in practice:

Solicitation is defined extremely broadly: “technology-neutral,” covering internet commercials, brochures, emails, banners, pop-ups, social media activity, affiliate campaigns, retargeted advertising, sponsorships, and even general brand advertising “addressed to the public with a broad and large reach.”

Disclaimers do not work.ESMA is explicit that contractual arrangements or disclaimers cannot override contrary facts. An “I approached the firm” acknowledgement in the T&Cs will not save a firm whose marketing says otherwise.

Group entities and affiliates are in scope.Marketing by an EU-regulated group company is treated as solicitation by the third-country firm itself which removes a frequently-used structural arrangement.

Follow-on marketing is restricted.Even after a valid reverse-solicited transaction, the firm cannot push “further crypto-asset X transactions or transactions in similar crypto-assets” outside the context of the original interaction. A push notification two days later is not “the same transaction.”

NCAs will actively monitor.ESMA instructs national competent authorities to use marketing-monitoring tools, including social-media sweeps and country-code domain searches, and to follow up on whistleblower reports. The Annex to the Guidelines gives them a practical checklist.

MiCA’s transitional period ends on 1 July 2026. For non-EU crypto firms, any reliance on reverse solicitation to serve EU clients after that date needs to be re-tested against the 2025 Guidelines rather than the assumptions in place when the model was first designed.

PSD2: the exemption that isn’t really there

PSD2 does not contain a reverse-solicitation exemption in the MiFID II or MiCA sense. This is not a drafting gap; it reflects a different regulatory design.

Under Articles 11 and 37 PSD2, providing payment services in the EU on a regular, professional basis requires authorisation as a payment institution. The EBA and individual NCAs have treated cross-border provision of payment services into the EU as triggering authorisation, regardless of who made first contact.

The closest PSD2 analogues are:

The limited-network exclusion(Article 3(k)): an activity-based carve-out, narrowed further by the EBA’s 2022 Guidelines.
The commercial-agent exclusion(Article 3(b)): again, activity-based, not initiative-based.
Occasional, non-professional conduct falling outside PSD2’s scope because the firm is not a payment service provider by trade.

None of these is a reverse-solicitation exemption. If a non-EU payment firm provides regulated payment services to EU users on any sustained basis, it almost certainly needs an EU licence or a passported EU entity, whether or not the users came looking.

Practical takeaways for fintech teams

If your business relies on reverse solicitation, or you are about to be sold the idea by a cross-border partner, a few tests are worth running before you commit:

Identify which regime applies.Investment services? MiFID II. Crypto-asset services? MiCA. Payments, e-money, account information, payment initiation? PSD2.
Audit every client-facing channel.Not just the main website. Paid search, affiliate funnels, influencer deals, in-app push notifications, co-marketing with EU group entities, trade-fair participation, sponsored content; each is a potential solicitation surface.
Stop relying on disclaimers.A click-through acknowledgement that the client approached you “on their own initiative” will only be as strong as the surrounding facts. If those facts contradict the wording, the wording loses.
Document genuine client-initiated contact properly.Where reverse solicitation is available (MiFID II, MiCA), keep contemporaneous records: the communication that triggered the engagement, the product discussed, the service delivered.
Check the group, not just the main entity.Group companies, EU-regulated affiliates, tied agents and introducers are where supervisors are now looking. The contractual and marketing arrangements upstream deserve the same scrutiny as the client-facing ones.

If your firm is seeking to assess its reliance on the reverse solicitation exemption, or to strengthen the policies and controls that support that reliance, our team is available to assist with documentation frameworks, compliance reviews, and regulatory defence.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Regulatory requirements are subject to change; firms should obtain specialist legal advice tailored to their specific circumstances and regulatory status.