EMI License & Payment Institution Authorisation: Jurisdictions & Requirements

What Is EMI & Payment Institution Licensing?

EMI and Payment Institution licensing is the regulatory authorisation a business needs to legally issue electronic money or provide payment services. The licence is granted by a national financial regulator under one of two EU directives, or under the equivalent regime in non-EU European jurisdictions, and prescribes which activities the operator may perform, what capital must be held, how client funds must be safeguarded, and how the operator must report on operational and financial resilience.

The two EU regimes sit alongside each other. EMD2 (Directive 2009/110/EC) governs EMI authorisation, with minimum initial capital of €350,000 under Article 4 and ongoing own funds calculated under Method D, set at 2% of average outstanding electronic money under Article 5.^[1] PSD2 (Directive (EU) 2015/2366) governs PI authorisation, with tiered initial capital of €20,000 (money remittance), €50,000 (payment initiation), or €125,000 (all other services) under Article 7, and ongoing own funds under Methods A, B or C under Article 9.^[2] An EMI permission set is a superset of a PI permission set; most modern fintechs at any meaningful scale operate as hybrid EMIs that include the PI permissions, with own funds calculated as the higher of Method D (on the e-money float) and Method B (on the payment-services volume), without offsetting.

The framework is in its deepest transition since EMD2 was first adopted in 2009. PSD3 and the directly applicable Payment Services Regulation (PSR) reached provisional political agreement at approximately 01:25 on 27 November 2025 in Strasbourg, closing inter-institutional negotiation that began with the European Commission's June 2023 proposals,^[3] and technical trilogues continued under the Danish presidency through end-December 2025.

On 23 April 2026, the Council of the European Union published the final compromise texts (documents ST-8221-2026-INIT for the PSR and ST-8222-2026-INIT for PSD3), endorsed by COREPER the day before. The ECON Committee voted on 5 May 2026; the Parliament plenary vote is expected later in May 2026, and Official Journal publication is anticipated at the end of Q2 2026, with possible slip to September. The PSR will apply 21 months after entry into force, with the Verification of Payee provisions under PSR Articles 50 and 57 applying 27 months after entry into force; PSD3 national transposition is 21 months, with existing PI authorisations grandfathered for up to 27 months. Realistic market readiness is late 2027 to Q1 2028.^[4]

PSD3 is a structural reshape rather than a tightening, with five substantive changes for EMIs and PIs:^[5]

• EMD2 is repealed; EMIs become a sub-category of payment institutions, with Method D preserved for the e-money activity.
• A third safeguarding option is added: a central-bank account at the discretion of each Member State central bank.
• No single safeguarding method may cover 100% of client funds.
• A stronger fraud framework is introduced, including PSP refund liability for impersonation fraud.
• Mandatory IBAN-and-name Verification of Payee applies across the EU.

Three other regimes determine what an EMI/PI mandate looks like in 2026. The DORA Regulation (EU) 2022/2554 has applied to every EU EMI and PI since 17 January 2025; the European Supervisory Authorities designated the first 19 critical ICT third-party providers on 18 November 2025.^[6] The EU AML Reform Package (Regulation (EU) 2024/1624, the AMLR; Regulation (EU) 2024/1620 establishing AMLA; Directive (EU) 2024/1640, the AMLD6) applies from 10 July 2027 with AMLA operational since 1 July 2025 at its Frankfurt headquarters in the Messeturm.^[7] MiCA Regulation (EU) 2023/1114 Article 48(1) requires every e-money token (EMT) issuer to be authorised as either a credit institution or an EMI under EMD2; Circle Internet Financial Europe SAS, authorised by the ACPR on 1 July 2024, was the first global stablecoin issuer to comply.^[8]

An EMI or PI licence is not a single product. EU EEA-passport regimes (the fourteen Member State authorities) offer single-market access from a single home regulator, but with sharply diverging supervisory intensity: the Bank of Lithuania revoked at least nine EMI and PI licences between 2022 and Q2 2026, while the Central Bank of Ireland's "Dear CEO" letter cycle from January 2023 onwards lifted the safeguarding bar across the Irish payments population by an order of magnitude. The United Kingdom recoupled rather than decoupled: the FCA's new CASS 15 regime under PS25/12 takes effect on 7 May 2026, materially raising the safeguarding standard. Switzerland's FINMA Article 1b fintech licence offers direct Swiss Interbank Clearing access via a Swiss National Bank sight account, which no EU EMI can match.

The decision is rarely which jurisdiction has the lowest application fee. It is which jurisdiction the safeguarding banks, scheme operators, correspondent network and target markets will all accept. That short sentence is the entire framing of this page.

Who Needs an EMI or PI Licence?

An EMI or Payment Institution licence is required by any business that issues electronic money or provides payment services to clients. The trigger is the activity, not the volume: accepting client funds, holding them as a stored monetary claim against the issuer, executing payment orders against those funds, or providing payment initiation or account information services to third-party clients. Different operator profiles map to different licence categories and capital tiers.

Electronic money issuers are the core EMI population. The legal definition of electronic money under EMD2 Article 2(2) is "electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person other than the electronic money issuer." Prepaid cards, e-wallets, gift programmes, employee benefit cards, B2B payout cards, in-app stored balances, and electronic vouchers all sit inside this definition. Initial capital is €350,000; ongoing own funds under Method D are 2% of average outstanding e-money, with competent authorities authorised to vary by ±20% based on internal-control adequacy.^[1]

Hybrid EMI/PI fintechs are the largest single category by count. A neobank that offers a euro IBAN wallet, accepts deposits onto a stored-value account, issues a debit card, processes domestic and SEPA Instant payments, and arranges currency conversion is hybrid by definition: the stored-value account is e-money under EMD2, and the payments on top are PSD2 services under Annex I. Hybrid applicants must compute and present both Method D and Method B own funds figures; Tier-1 regulators in Ireland, Germany and the United Kingdom require both calculated separately, with no offsetting. Practitioner observation: misclassifying a hybrid as a pure EMI at application stage is one of the most common causes of regulator-required re-papering, second only to safeguarding-bank attestation gaps.

Payment Institutions without e-money are the PI-only population: B2B cross-border payment processors, money remittance houses, card acquirers, foreign-exchange specialists, payroll providers, and merchant payment facilitators. The licence is PSD2-only with the lower tiered capital floor under Article 7, and many of these operators eventually upgrade to EMI authorisation as their business model develops stored-value features.

Open banking providers sit in two categories under PSD2 Article 4. Payment Initiation Service Providers (PISPs) initiate payment orders from a customer's account at another PSP and require €50,000 initial capital under PSD2 Article 7(b). Account Information Service Providers (AISPs) aggregate account information across PSPs and operate under PSD2 Article 33 with registration rather than authorisation, professional indemnity insurance or a comparable guarantee in place of capital. PSD3 will reshape the AISP/PISP regime materially: dedicated high-performing data-access interfaces become mandatory, user permission dashboards must allow the customer to revoke access at any time, and PISP refund liability for impersonation fraud is added at Regulation level under the PSR.^[5]

E-money token issuers under MiCA Article 48 are the newest population. A euro-denominated stablecoin issuer cannot operate in the EU under MiCA alone; it must be authorised as a credit institution or an EMI under EMD2.^[8] The EMI authorisation governs the issuance permission; MiCA Title IV governs the white paper (Article 51), 1:1 reserve backing, prohibition on interest payment to holders under Article 50, and the EBA significant-token regime under Article 56. Editorial position: the Circle-ACPR template of July 2024 has made France the de facto MiCA EMT domicile in 2026. A serious euro-stablecoin issuer with European institutional ambitions should not file the EMI application anywhere else without a specific business reason.

Crypto-asset service providers adding fiat rails are a growing subset. A MiCA CASP authorisation under Regulation (EU) 2023/1114 does not include payment services or e-money issuance. A CASP that offers euro IBAN wallets, processes fiat deposits and withdrawals on behalf of users, or facilitates fiat-denominated payment transactions typically needs an EMI overlay. The two regimes are coordinated but not consolidated; several large CASPs operate both authorisations in parallel from the same home regulator, with shared governance, AML and risk-management documentation. Coordination through our crypto licensing service handles the parallel application sequencing.

Embedded finance and Banking-as-a-Service operators sit in a fourth band. A marketplace that holds buyer funds in escrow before releasing to seller, a ride-share platform that pays drivers from a stored balance, a payroll platform that holds salary funds before distribution, or a vertical-SaaS product that offers card programmes to its customers is typically issuing electronic money or providing payment services, depending on the specific funds-flow and contractual structure. The CJEU judgment in Case C-661/22 ABC Projektai UAB v Lietuvos bankas on 22 February 2024 materially clarified the EMI/PI border: where funds are received without being immediately accompanied by a payment order, the activity is a payment service rather than e-money issuance, unless the customer has consented to e-money issuance via a contractual agreement.^[9] Several embedded-finance operators that historically classified themselves as EMIs may need to re-classify under the ABC Projektai test.

Where to Get Licensed

Seventeen jurisdictions cover the practical universe of EMI and Payment Institution licensing options for crypto-native, fintech and stablecoin operators. They split into two tiers: fourteen EU EEA-passport jurisdictions where a single home authorisation extends to all 30 European Economic Area Member States, and three non-EU European jurisdictions (United Kingdom, Gibraltar, Switzerland) that operate independent regimes with selective bilateral access. The right choice depends on target markets, banking tolerance, capital position, and the depth of substance the operator can credibly provide on the ground.

Tier 1: EU EEA-passport (14 jurisdictions)

The EU regulated tier is where MiCA EMT issuance, SEPA access, and pan-European passporting live, and where supervisory intensity has risen materially since 2023.

France is the credible domicile for serious euro-stablecoin and EMT issuance in 2026. The ACPR authorises EMIs under the Code monétaire et financier, Articles L.526-1 et seq., with safeguarding obligations at L.526-32 et seq. Initial capital is €350,000. Circle Internet Financial Europe SAS, authorised on 1 July 2024, was the first global stablecoin issuer to comply with MiCA Article 48 via ACPR-issued EMI authorisation; on 20 April 2026 Circle France additionally received AMF approval as a CASP under MiCA's Article 60 notification procedure (announced 4 May 2026), broadening its EU footprint to custody and transfer services for USDC and EURC across the EEA.^[8] Realistic timeline: 13 to 18 months. Corporate tax: 25.83%. Editorial position: when an operator says "I want a MiCA EMT licence", France is the answer unless there is a specific banking, substance or market reason to go elsewhere.

Ireland is the gold-standard credible EU domicile for embedded finance, Banking-as-a-Service, and large-float EMI businesses. The Central Bank of Ireland (CBI) authorises EMIs under the European Communities (Electronic Money) Regulations 2011 (SI 183/2011) and PIs under the European Union (Payment Services) Regulations 2018 (SI 6/2018). Initial capital is €350,000.

The CBI's 20 January 2023 "Dear CEO" letter to the payments industry required external safeguarding audit by 31 July 2023 (subsequently extended to 31 October 2023 by the CBI's 25 May 2023 Safeguarding Notice), and has driven a step-change in safeguarding bar across the Irish population.^[10] Per CBI data, the Irish PI/EMI population expanded from 14 firms in 2016 to 51 in 2023, with safeguarded funds rising from €726 million to €7.82 billion over the same period; this is by far the fastest-growing sector under CBI supervision.^[11] Realistic timeline: 16 to 24 months. Corporate tax: 12.5% trading rate.

Practitioner observation: Ireland is not a "fast-track" jurisdiction. It is the credible jurisdiction. Operators who position it as fast are mismeasuring the file.

Lithuania remains the largest single EMI cluster in the EU by count, but the supervisory cycle has changed materially. The Bank of Lithuania (Lietuvos bankas) authorises EMIs under the Law on Electronic Money and Electronic Money Institutions and PIs under the Law on Payments, with initial EMI capital of €350,000 and an application fee of €1,463. Between 2022 and Q2 2026 the regulator revoked at least nine EMI and PI licences:^[12]

• Payrnet (June 2023).
• Transactive Systems (1 June 2023), with a €280,000 fine.
• Majestic Financial (April 2024).
• Foxpay (22 November 2024); Foxpay's subsequent appeal was rejected by the Regional Administrative Court on 16 March 2026.
• Fundstr (20 June 2025), for severe and systematic AML and CTF breaches.
• KogoPay (22 July 2025), for failure to meet own-funds requirements and insolvency.
• Paytend Europe (4 March 2026), for AML and TF breaches.

Finolita Unio's appeal against the 8 June 2021 revocation was definitively rejected by the Supreme Administrative Court of Lithuania (LVAT) in November 2024. The regulator also fined more than 20 firms over €4 million in aggregate over the same period. The PSP Lab 2025 outlook records zero new EMI or Authorised PI authorisations in Lithuania from January to August 2025, though the Bank of Lithuania did grant payment-institution licences with EMT scope to MiCA CASP applicants (including Decentralized and Nuvei) in December 2025. The active EMI population fell from 87 in 2021 to 76 at end-2024, alongside 43 Payment Institutions for a total of 119 licensed institutions.^[13] CENTROlink remains the broadest EU SEPA gateway, but access has tightened for high-risk verticals post-Payrnet. Corporate tax: 15% (16% for some categories from 2025).

Editorial position: Lithuania is no longer the default jurisdiction for greenfield EMI applications in 2026. For established applicants with substantive Lithuanian operating teams and strong AML track records, it remains viable. For opportunistic applicants chasing a "fast" EU passport, the gate is operationally closed.

Netherlands has become the rising net beneficiary of the flow away from Lithuania and the UK. DNB authorises EMIs and PIs under the Wet op het financieel toezicht (Wft) of 12 October 2006, with EMI definitions and authorisation at Sections 1:1 and 2:11 and safeguarding at Sections 3:29a and 3:29aa; the AFM handles conduct supervision. Initial capital is €350,000. Realistic timeline: 13 to 21 months. Corporate tax: 25.8% on profits above €200,000, 19% below. Practitioner observation: DNB has emerged as the most pragmatic of the large EU regulators, with a credibility-and-speed balance close to Ireland's at materially shorter timelines.

Luxembourg is the financial-services hub of choice for large institutional payment operators and fund-services payment overlays. The CSSF authorises EMIs and PIs under the Loi du 10 novembre 2009 relative aux services de paiement, as amended by the Law of 20 July 2018 transposing PSD2. PI authorisation at Article 7; EMI authorisation at Articles 24-2 et seq. Initial EMI capital is €350,000. CSSF Circulars 18/692 and 19/713 govern operational and governance arrangements. Realistic timeline: 16 to 24 months. Corporate tax: 24.94% effective; substance is heavily weighted in the supervisory cycle.

Malta serves the MiCA-adjacent fintech population well, with a single regulator covering crypto, payments and securities. The MFSA authorises EMIs and PIs under the Financial Institutions Act, Chapter 376 of the Laws of Malta (1994), with subsidiary MFSA Financial Institution Rules. Initial capital is €350,000. PSP Lab records a 250% Authorised PI cancellation rate against issuances in Malta in 2025, indicating the supervisory cycle is tightening.^[13] Realistic timeline: 12 to 16 months. Corporate tax: 35% headline; effective rate around 5% via the shareholder-refund regime, subject to substance and anti-abuse tests.

Cyprus overlaps with the forex broker population and is a credible mid-tier EMI domicile. The Central Bank of Cyprus authorises EMIs under the Electronic Money Law of 2012 (L.81(I)/2012) and PIs under the Provision and Use of Payment Services and Access to Payment Systems Law of 2018 (L.31(I)/2018). The CBC issued an updated Electronic Money Institutions Directive of 2025. Initial capital is €350,000.^[14] Corporate tax was raised to 15% for tax years from 1 January 2026 onwards, gazetted 31 December 2025; profits earned in FY 2025 remain at 12.5%.

Estonia is realistic only for native Estonian operating teams with deep AML capabilities. The Finantsinspektsioon (FI) authorises EMIs and PIs under the Makseasutuste ja e-raha asutuste seadus, enacted 17 December 2009. As of November 2024 the FI hosted 12 PIs and 3 EMIs. Post-Danske, the FI has been one of the most cautious EU regulators for new EMI applications. Corporate tax: 22% on distributed profits, with no tax on retained earnings, a meaningful advantage for reinvested fintech growth. Practitioner observation: the FI's caution reflects a deliberate post-Danske policy; new EMI applications by foreign promoters without substantive Estonian presence are rarely successful.

Belgium is mid-tier with strong correspondent banking access through the Eurosystem. The National Bank of Belgium (NBB) authorises EMIs and PIs under the Loi du 11 mars 2018 relative au statut et au contrôle des établissements de paiement et des établissements de monnaie électronique, Belgian Official Gazette 26 March 2018. Safeguarding at Article 42 (PI) and Article 194 (EMI). Initial capital is €350,000. Corporate tax: 25%.

Latvia consolidated payment supervision when Latvijas Banka absorbed the former Financial and Capital Market Commission (FCMC) on 1 January 2023, and the Law on Payment Services and Electronic Money was amended to transfer competence. Initial capital is €350,000. Banking access remains constrained by the Baltic-wide post-ABLV de-risking cycle. Corporate tax: 20% on distributed profits (Estonian model).

Germany is the highest-supervision-intensity option in the EU: BaFin authorises EMIs and PIs under the Zahlungsdiensteaufsichtsgesetz (ZAG), enacted by Act of 17 July 2017, in force 13 January 2018. §10(1) PI; §11(1) EMI; §17 PI safeguarding; §18 EMI safeguarding; §12 capital tiers. Initial EMI capital is €350,000.

Post-Wirecard reforms under FISG (May 2021) gave BaFin direct intervention rights over outsourcing companies and created the Focus Units.^[15] The 4 November 2025 Operation Chargeback action day, led by the Koblenz General Prosecutor's Office and the BKA with Europol and Eurojust support, dismantled three criminal networks responsible for an estimated €300 million in damages affecting 4.3 million cardholders across 193 countries.^[16] BaFin participated; its Chief Executive Director for Resolution and Prevention of Money Laundering, Birgit Rodolphe, has publicly confirmed the underlying fraud was "completely stopped since 2021" due to BaFin pressure. Realistic timeline: 18 to 27 months. Corporate tax: approximately 30% all-in.

Practitioner observation: BaFin is now Tier-1 global supervision intensity. Choose Germany only if the business is operated out of Germany with German-resident senior management; the regulator is unforgiving of remote-substance applications.

Spain is a quietly active domicile with deep Iberian and LatAm market access. The Banco de España authorises EMIs under Ley 21/2011 de 26 July 2011 de dinero electrónico (BOE-A-2011-12909) and PIs under Real Decreto-ley 19/2018, with implementing rules in Real Decreto 778/2012 (EMI) and Real Decreto 736/2019 (PI). Initial capital is €350,000. PSP Lab notes Spain "quietly active" in 2025 with two new APIs and a 37.5% cancellation rate.^[13] Corporate tax: 25%.

Italy remains a difficult application jurisdiction in 2026. Banca d'Italia authorises EMIs ("IMEL") under Title V-bis of the Testo Unico Bancario (D.Lgs. 385/1993), with the IMEL register maintained under Article 114-quater TUB, and PIs under Decreto Legislativo 27 gennaio 2010, n. 11. Initial EMI capital is €350,000. PSP Lab records a 78.57% Authorised PI cancellation rate and a 50% EMI cancellation rate in 2024-2025, among the highest in the EU.^[13] Corporate tax: 24% IRES plus 3.9% IRAP regional.

Poland is the largest non-Baltic Central European market and a growing fintech hub. The Komisja Nadzoru Finansowego (KNF) authorises EMIs and PIs under the Ustawa z dnia 19 sierpnia 2011 r. o usługach płatniczych (consolidated Dz.U. 2025 poz. 611). PI authorisation at Article 60. Initial EMI capital is €350,000. Corporate tax: 19% (9% for small businesses below €2 million revenue).

Tier 2: Non-EU European (United Kingdom, Gibraltar, Switzerland)

The non-EU European tier offers independent regulatory regimes with selective bilateral access: EU passporting is not available, and UK and Swiss licensees access EU markets via local establishment or reverse solicitation under national rules.

United Kingdom is recoupling rather than decoupling. The FCA authorises EMIs under the Electronic Money Regulations 2011 (SI 2011/99) and PIs under the Payment Services Regulations 2017 (SI 2017/752). Initial capital for an Authorised EMI is €350,000, a floor the EMRs 2011 express in euro; PI tiers mirror PSD2. EEA passporting was unilaterally lost on 1 January 2021. The major May 2026 event is FCA Policy Statement PS25/12, published 7 August 2025, which introduces the Payments and Electronic Money (Safeguarding) Instrument 2025 (FCA 2025/38) with new CASS 15, SUP 3A and SUP 16.14A (the "Supplementary Regime") in force from 7 May 2026.^[17] The CASS 15 obligations are:

• Daily safeguarding reconciliations, excluding weekends and public holidays.
• Maintained resolution pack.
• Annual reasonable-assurance safeguarding audit by a qualified auditor, with a six-month submission window for the first audit report and four months thereafter.
• Monthly regulatory return.

An audit exemption applies where relevant safeguarded funds never exceeded £100,000 over a 53-week period. The "Post-Repeal Regime", introducing a statutory trust over relevant funds, has been deferred pending Supplementary Regime bedding-in. Realistic FCA application timeline: 9 to 16 months. Corporate tax: 25% (19% small profits rate).

Practitioner observation: FCA reputation among acquirers and correspondent banks is recovering after the 2021-2023 wind-down wave. CASS 15 is the most credible safeguarding regime in Europe and is likely to become the de facto baseline that PSD3 Level-2 standards reference.

Gibraltar is the UK gateway. The Gibraltar Financial Services Commission (GFSC) authorises EMIs and PIs under the Financial Services Act 2019. UK market access is preserved through the permanent Gibraltar Authorisation Regime under Chapter 22 / Schedule 2A FSMA 2000, inserted by the UK Financial Services Act 2021. Sector-specific transitional passporting for PSPs and EMIs under Schedule 7 PSRs 2017 and regulation 74A EMRs 2011 was extended to 31 December 2026 by the Financial Services (Gibraltar) (Amendment) (EU Exit) Regulations 2025 (SI 2025/1182).^[18] Initial EMI capital is £350,000. Corporate tax: 15% (from 1 July 2024).

Switzerland has no direct EMI equivalent. Three Swiss authorisation options exist for the EMI use case:^[19]

• The FinTech licence under Article 1b BankA (the "fintech licence"): permits public deposits up to CHF 100 million without interest payment and without investment of deposits, with minimum capital of CHF 300,000 or 3% of public deposits (whichever is higher).
• A full banking licence: minimum CHF 10 million.
• The Article 1 BankA sandbox exemption: up to CHF 1 million.

As of April 2025 only four active Article 1b licensees existed; two originally granted licences were subsequently revoked for failing ongoing requirements. The Federal Council opened a consultation on 22 October 2025 (closing 6 February 2026) proposing to repeal the Banking Act Article 1b fintech licence and replace it with two new categories under the Financial Institutions Act (FinIA): Payment Institution and Crypto Institution, with Payment Institutions given exclusive rights to issue value-stable crypto means of payment ("Regulated Stablecoins") and the existing CHF 100 million public-deposit cap removed. Federal Council dispatch and parliamentary deliberation are expected later in 2026; entry into force from 2027 at the earliest.

The Swiss fintech licence is the only Western European option providing direct Swiss Interbank Clearing (SIC) access via a Swiss National Bank sight account, a structural advantage no EU EMI can match. FINMA Guidance 01/2026 of 12 January 2026 on the custody of crypto-based assets directly affects any Swiss EMI-equivalent dealing with stablecoins or token custody. All-in cost CHF 1.8 million to CHF 3.2 million for fiat payment business. Corporate tax: 11.9% to 21% canton-dependent.

Jurisdiction comparison

All fourteen EU jurisdictions in the table below share the EMD2 Article 4 initial capital of €350,000 and offer EU passporting. Non-EU rows carry their own capital floors (€350,000 in the United Kingdom, expressed in euro by the EMRs 2011; £350,000 in Gibraltar; CHF 300,000 or 3% of deposits in Switzerland) and operate outside the EU passport (the UK applies CASS 15 from 7 May 2026; Gibraltar retains UK access via GAR/TPR to 31 December 2026; Switzerland holds direct SIC/SNB access in lieu). The columns retained below carry the variation that drives the choice between them.

The single most underweighted column in this table is "regulator supervisory intensity", which we cannot render in a table cell. As of May 2026, the credible-and-fast tier is led by France (ACPR) and the Netherlands (DNB); the credible-and-slow tier by Ireland (CBI); the credible-and-very-slow tier by Germany (BaFin); the historically-fast-but-now-gated tier by Lithuania.

Editorial position: the choice between France and Ireland for a serious EU EMI mandate now turns on two questions. Are you issuing a euro stablecoin or EMT? Choose France. Are you building a Banking-as-a-Service or embedded-finance platform with large client floats? Choose Ireland. Anything else is a banking-and-substance question, not a regulator-quality question.

Key Requirements

EMI and Payment Institution authorisation requirements vary by jurisdiction and tier, but six categories appear in every regulated regime: initial capital and ongoing own funds, corporate substance and key persons, safeguarding of client funds, AML and CFT controls, operational resilience under DORA, and reporting and governance. The depth, evidence standard, and enforcement intensity of each varies sharply across the seventeen jurisdictions.

Initial capital and ongoing own funds

Initial capital and ongoing own funds are the requirement most often underestimated. Under EMD2 Article 4, initial EMI capital is €350,000, and under EMD2 Article 5, ongoing own funds for the e-money issuance activity are calculated under Method D: 2% of average outstanding electronic money, with competent authorities authorised to vary by ±20% based on internal-control adequacy. For non-e-money payment services within a hybrid EMI, ongoing own funds for those activities are calculated under one of three PSD2 methods:^[2]

• Method A (fixed-overhead): 10% of the preceding year's fixed overheads.
• Method B (payment-volume): scaling with a k-factor of 0.5 to 1.
• Method C (composite-indicator): based on interest income and commissions.

Hybrid applicants must compute and present both Method D and Method B figures: Tier-1 regulators in Ireland, Germany and the United Kingdom require both calculated separately with no offsetting, and the binding own-funds figure is the higher of the two.

Practitioner observation: capital cushion of 12 months operating expenditure on top of the regulatory floor is now the de facto requirement at every Tier-1 regulator. Six months is no longer credible; thin-cushion applications are challenged.

Corporate substance and key persons

Corporate substance and key persons is the second universal requirement and the most common cause of application failure. Every regulated regime requires a locally incorporated company with a registered office, a board with fit-and-proper directors at least one of whom is locally resident, and a senior management team with relevant experience. The mandatory senior management roles across every regulated regime are:

• Money Laundering Reporting Officer (MLRO): primary contact for the regulator on AML/CFT matters.
• Chief Compliance Officer (CCO): regulatory compliance oversight across the firm.
• Chief Risk Officer (CRO): enterprise risk framework, including ICAAP and operational risk assessment.
• Chief Finance Officer (CFO): own-funds calculation, regulatory reporting, and audit liaison.

Supervisory expectations on substance differ materially across Tier-1 regulators. In Ireland, the CBI applies the Pre-Approval Controlled Function (PCF) regime and requires evidence of local residency for key roles; in Germany, BaFin scrutinises remote-substance applications closely post-Wirecard; and in Lithuania, the Bank of Lithuania's recent enforcement cycle was driven in significant part by substance and key-person failings.

Practitioner observation: hiring the MLRO, CCO and CFO in the licensing jurisdiction before filing the application (not after grant) is the single most impactful step on regulator credibility.

Safeguarding of client funds

Safeguarding of client funds is universal in name and increasingly tight in practice. Around 95% of EMIs use segregation in a credit institution, and daily reconciliation, with documented procedures and an evidence trail, is the universal expectation. Under EMD2 Article 7, three safeguarding methods are available:

• Segregation in a separate account at a credit institution.
• Investment in low-risk liquid assets meeting the secure-asset criteria.
• Insurance or comparable guarantee from a third-party insurer or credit institution.

The FCA's CASS 15 regime under PS25/12, effective 7 May 2026, sets the most detailed standard yet seen in any major jurisdiction.^[17] CASS 15 mandates:

• Daily safeguarding reconciliations, excluding weekends and public holidays.
• A maintained resolution pack.
• An annual reasonable-assurance audit by a qualified auditor: six-month submission window for the first audit report, four months thereafter.
• A monthly regulatory return.

Under PSD3, no single safeguarding method may cover 100% of client funds, which will force most EMIs to add a second safeguarding arrangement during the 21-month transposition window.

Editorial position: the operators who land their EMI grant cleanly are not the ones with the strongest application file. They are the ones whose safeguarding bank confirmation was secured before the regulator opened the substantive review.

AML and CFT controls

AML and CFT controls have moved fastest in regulatory expectations: the EU AML Reform Package applies from 10 July 2027, with AMLA operational since 1 July 2025 at its Frankfurt headquarters.^[7] The package comprises three operative instruments:

• Regulation (EU) 2024/1624, the AMLR: the single rulebook applying directly across Member States.
• Regulation (EU) 2024/1620, establishing AMLA as the EU-level supervisor.
• Directive (EU) 2024/1640, the AMLD6: the directive layer national authorities must transpose.

For EU-licensed EMIs and PIs, the package brings:

• A single rulebook replacing the patchwork of national AMLD5/6 transpositions.
• Direct AMLA supervision of the first 40 selected entities from 1 January 2028.
• A harmonised €10,000 EU-wide cash payment limit under AMLR Article 80.
• Customer due diligence triggered at occasional transactions of €3,000 or above.
• A 25% beneficial-ownership threshold harmonised across all Member States.

AMLA leadership is now in place. The Chair, Bruna Szego, was appointed by Council on 21 January 2025 and joined AMLA on 17 February 2025. Executive Director Nicolas Vasse joined on 16 September 2025. Four Executive Board members took office on 1 June 2025: Simonas Krėpšta, Rikke-Louise Petersen, Derville Rowland and Juan Manuel Vega Serrano. The fifth and final Board member, Hennie Verbeek-Kusters, was appointed by Council on 23 February 2026 after the original German nominee, Marcus Pleyer, withdrew before taking office.

Non-EU regulators have moved in parallel: the FCA's financial-crime expectations under SYSC 6.3 have intensified materially since the 2023 enforcement cycle. The CBI's 20 January 2023 "Dear CEO" letter included AML expectations alongside safeguarding requirements, and the resulting Irish payments-population-wide remediation programme has set the practical baseline for EU AML supervision.

Operational resilience under DORA

Operational resilience under DORA is the requirement most often missing from competitor pages: the Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025 to every EU EMI and PI.^[6] DORA mandates five core elements:

• An ICT risk-management framework under Articles 5 to 14.
• An incident-reporting cadence (classified, initial, intermediate, final notifications) for major incidents under Articles 17 to 19.
• A maintained Register of Information for ICT third-party providers under Article 28.
• Periodic resilience testing, including threat-led penetration testing for in-scope firms under Articles 26 to 27.
• Direct ESA oversight of "critical" ICT third-party providers (CTPPs) under Article 31.

The European Supervisory Authorities designated the first 19 critical ICT third-party providers on 18 November 2025:^[20]

• Accenture plc
• Amazon Web Services EMEA Sarl
• Bloomberg L.P.
• Capgemini SE
• Colt Technology Services
• Deutsche Telekom AG
• Equinix (EMEA) B.V.
• Fidelity National Information Services Inc.
• Google Cloud EMEA Limited
• International Business Machines Corporation
• InterXion HeadQuarters B.V.
• Kyndryl Inc.
• LSEG Data and Risk Limited
• Microsoft Ireland Operations Limited
• NTT DATA Inc.
• Oracle Nederland B.V.
• Orange SA
• SAP SE
• Tata Consultancy Services Limited

Critical ICT third-party providers face periodic penalty payments of up to 1% of average daily worldwide turnover under Article 35(8).

Practitioner observation: the European Supervisory Authorities' 2024 dry-run exercise found that only around 6.5% of the nearly 1,000 firms tested passed all 116 Register of Information data-quality checks. The gap shows up immediately when a CBI, DNB or BaFin review starts asking about ICT third parties.

Reporting and governance

Reporting and governance close the requirement set: every regulated EMI/PI must submit a regular flow of regulatory returns and notifications, and inform the regulator of material changes to the business as they occur. The standard reporting cadence covers:

• Quarterly prudential returns: own funds, capital ratio, fixed overheads, payment volume.
• An annual audited financial statement.
• An annual safeguarding audit, where required by the jurisdiction.
• DORA major-incident reports as they occur.
• AML suspicious activity reports as they arise.
• Ad-hoc notifications for material changes in shareholders, key persons, business model, or outsourcing arrangements.

The FCA's CASS 15 monthly safeguarding return adds a UK-specific reporting layer from 7 May 2026. AMLA's selection of the first 40 directly supervised cross-border financial groups on 1 July 2027 will add a parallel EU reporting layer for any EMI passporting into six or more Member States. The common mistake is treating the six-Member-State passporting footprint as a commercial scaling metric rather than the AMLA direct-supervision trigger it now is; operators routinely passport into six or seven jurisdictions to satisfy a board KPI without modelling the reporting, governance and on-site inspection burden that direct AMLA supervision imposes from 1 July 2027 onwards.

How Jagelski & Partners Helps

Jagelski & Partners coordinates EMI and Payment Institution licensing as a single mandate: corporate formation, licence application, safeguarding banking placement, capital structuring, and AML and DORA programme set-up run in parallel rather than in sequence, so that capital, substance and safeguarding banking arrive ahead of the regulator asking.

Jurisdiction selection

The first work item on every mandate is a jurisdiction call. We do not recommend a jurisdiction before mapping four variables together:

• The operator's regulated activities: e-money issuance, payment services under PSD2 Annex I, PISP, AISP, EMT issuance under MiCA Article 48.
• The markets the operator actually targets, not the markets it aspires to.
• The leverage levels the operator intends to offer to its own clients.
• The safeguarding banks the operator can realistically reach in each candidate jurisdiction.

A euro-stablecoin issuer with European institutional ambitions, €5 million of available capital and a 20-month runway needs a different recommendation than a B2B cross-border payments operator targeting LatAm with €1 million of capital and a 12-month runway.

Editorial position: Lithuania is no longer the default for new entrants in 2026. The Bank of Lithuania's enforcement cycle has materially closed the gate for opportunistic applicants. France for stablecoin and EMT issuance, Ireland for embedded finance and BaaS, and the Netherlands for pragmatic credibility are the credible EU defaults.

Corporate formation in parallel with the licence application

Once the jurisdiction is selected, we run corporate formation in parallel with the licence application; the substance work is jurisdiction-specific:

• France: a French SAS or SA with locally resident senior managers and registered office in place before the ACPR file is submitted, with senior management interviews scheduled.
• Ireland: an Irish DAC or PLC with at least one EU-resident director, a PCF stack identified, and CBI pre-application engagement booked.
• United Kingdom: a UK limited company with FCA-approved persons identified, the CASS 15 safeguarding architecture documented, and FCA pre-application contact opened.

We coordinate formation through our company formation service at the depth the licence requires, not the cheapest depth available.

Safeguarding banking placement

The safeguarding bank placement runs alongside the licence application, not after, because EMI safeguarding is a Tier-1 high-risk category at every credit institution and EMI banking provider. Pre-qualification with institutions that have an active programme for EMI safeguarding accounts is the difference between a four-week safeguarding bank timeline and a four-month one. An EMI mandate typically requires three distinct account types, each with a different acceptability profile:

• The segregated client-money account holding safeguarded e-money funds under EMD2 Article 7.
• The operating account for the firm's own working capital.
• The regulatory capital account holding initial capital and ongoing own funds.

Pre-qualification is handled through our high-risk business accounts workflow. Under PSD3's prohibition on any single safeguarding method covering 100% of client funds, we now build a two-bank or bank-plus-secure-assets architecture by default for any EMI applying for authorisation expected to be granted near PSD3 transposition.

Practitioner observation: the operators who land their EMI grant cleanly are the ones whose safeguarding bank was confirmed before the regulator opened the substantive review.

DORA, AML and post-launch compliance

DORA readiness, AML manual, KYC tooling, risk-management framework, and regulatory reporting infrastructure are sequenced into the application timeline so that on the day the regulator grants the licence the operator can go live, not start a three-month build. The DORA Register of Information and ICT third-party inventory are now expected by Tier-1 regulators on day one, not at on-site inspection. The pre-grant programme covers four workstreams:

• Hiring and placing the MLRO, CCO, CFO and CRO in the licensing jurisdiction before filing.
• Building the AML risk-based approach at customer-segment level rather than at firm level.
• Documenting the sanctions-screening tooling with regulator-grade evidence trails.
• Producing the DORA Register of Information and ICT third-party inventory in the format Tier-1 regulators now expect on first request.

Post-launch we handle ongoing compliance reporting, annual safeguarding audits, key-person changes, and the regulatory milestones that fall due: AMLA selection from 1 July 2027, FCA CASS 15 monthly returns from 7 May 2026, and PSD3 transposition during 2027 and 2028.

MiCA EMT and CASP overlays

For stablecoin and EMT issuance under MiCA Article 48, we coordinate the EMI authorisation with the MiCA Title IV obligations through our crypto licensing service. The EMI authorisation holds the issuance permission; the MiCA white paper, reserve composition, redemption framework and significant-token threshold compliance run in parallel.

For CASPs adding fiat rails, we sequence the EMI overlay alongside the MiCA CASP authorisation under the same home regulator where possible, with shared governance, AML and risk-management documentation.

Agentic payments and AI-agent commerce

AI agents now initiate payments autonomously, including machine-to-machine flows: crypto-native agent flows settle in stablecoins or e-money tokens via protocols such as x402 (contributed by Coinbase to the Linux Foundation in 2026) and Google's Agent Payments Protocol (AP2), while card networks run their own agent rails through Visa Intelligent Commerce and Mastercard Agent Pay. No jurisdiction has created a dedicated agent-payments licence: the activity is regulated by what the payment does, not by what initiates it. Issuing the EMT an agent spends is EMT issuance, which under MiCA Article 48 and EMD2 requires an EMI authorisation or a bank.

This is where the EMI licence becomes the load-bearing permission for agentic-payment infrastructure. Per the European Banking Authority, a MiCA CASP authorisation alone does not cover moving those tokens for clients: that is a payment service needing a payment or e-money institution permission under PSD2, or money-transmitter licensing in the United States. The PSD2 commercial-agent exemption covers commercial and legal agents, not AI agents, and almost never reaches an agent-payment platform. We scope the EMI authorisation as the issuance and settlement spine, paired with our work for stablecoin issuers.

For licensing work, Jagelski & Partners is engaged by the client on a fixed-fee or fixed-fee-plus-success basis depending on the mandate. For banking placement coordinated alongside, Jagelski & Partners is paid by the institution, not by the client. We do not mark up institutional banking or EMI pricing, and we do not charge a banking onboarding fee. The institutional rates the client sees on banking onboarding documentation are the rates the institution applies.

Frequently Asked Questions

References