Folio 05 · Insights · Article

Apr 28, 2026

What is an EMI licence? A founder's guide to EU Electronic Money Institutions

Electronic Money Institution licences are the most common path for fintechs handling client funds across the EEA. This guide covers what an EMI licence enables, where it's typically filed, capital thresholds, and the operating shape post-authorisation.

EMI licence founder guide illustration

An EMI licence lets a fintech issue electronic money and provide related payment services, but it also brings safeguarding, governance, capital, and conduct obligations that shape the whole company. Founders usually ask about the EMI route when the product stores client balances — wallets, multi-currency accounts, prepaid cards — because that is exactly the line where lighter regimes stop being available. This guide covers what the licence enables, what it costs in capital and organisation, where it is typically filed, and what the company looks like after authorisation.

What the licence actually permits

An Electronic Money Institution authorised under the EU's e-money framework can:

  • Issue electronic money — stored value redeemable at par on demand, which is what a client balance in a wallet legally is.
  • Provide the full range of payment services a Payment Institution can offer: credit transfers, direct debits, card issuing, merchant acquiring, money remittance, account information and payment initiation services.
  • Distribute and redeem e-money through distributors, and provide payment services through agents, across the EEA once passporting notifications are made.
  • Hold the client float in safeguarded form — which is the legal heart of the model and the obligation everything else orbits.

What it does not permit matters as much: an EMI cannot take deposits or pay interest on the float in a bank-like way, cannot lend except in narrow connection with payment services, and cannot call itself a bank. Products that are economically deposit-taking or credit-led belong in different licence conversations.

EMI versus PI: the decision founders actually face

A Payment Institution can move money; it cannot hold client balances as stored value. The practical test: if funds only transit — collected, converted, paid out within the payment cycle — a PI is cheaper (€125,000 initial capital for the full service set) and the file is lighter. If the product's core loop is "client tops up, balance sits, client spends," the EMI is the honest fit, and trying to dress a stored-value product as pure payments is a perimeter argument supervisors have seen too many times to indulge.

Two adjacent comparisons complete the map:

  • Small EMI / SEMI regimes exist in several member states with lighter requirements and hard ceilings on float and volume, without passporting. Useful for validation; outgrown quickly by anything that works.
  • Agent or BIN-sponsor arrangements let a product launch on someone else's licence. Faster to market, structurally dependent, margin-sharing — the classic build-versus-rent trade, and many strong companies rent first and file later with traction as evidence.

The numbers: capital and own funds

The initial capital requirement for an EMI is €350,000, paid in and evidenced at authorisation. Ongoing own funds are calculated primarily as 2% of average outstanding electronic money, with the payment-services side adding its own component under the standard PI methods — so the requirement grows with the float and the volumes.

Supervisors read the financial projections against three questions:

  • Does capital stay above the requirement in the downside case, not just the plan?
  • Who funds the top-up if growth outruns plan — and can they demonstrably do so?
  • Are the unit economics coherent, or does the plan only work at volumes the AML programme could not survive?

Budget headroom above the bare minimum from day one. An application showing €350,000 exactly, with no buffer and no committed funding line, reads as underprepared even when it is technically compliant.

Safeguarding: the obligation that defines the business

Client funds must be safeguarded from the moment of receipt — segregated in dedicated accounts with a credit institution, invested in defined secure low-risk assets, or covered by an insurance arrangement. In practice this means:

  • A safeguarding bank willing to hold the accounts — often the hardest single dependency in the whole project, and worth solving before the application is filed, because the regulator will ask for the arrangement, not the intention.
  • Daily reconciliation between the e-money ledger and the safeguarding accounts, with breaks investigated and documented.
  • A documented safeguarding policy the regulator will read closely: when funds enter safeguarding, how mixed flows are split, what happens on insolvency, who signs off on movements.
  • Audit attention — safeguarding is the first thing external auditors and supervisors examine, because safeguarding failures are what turn an EMI problem into a client-money scandal.

Founders consistently underestimate this section. The product team thinks in balances; the regulator thinks in trust-like protection of those balances. The application that explains its safeguarding plumbing precisely — account structure, reconciliation cadence, breach escalation — buys credibility for every other section.

Governance and substance

An EMI application stands on the people in it. Supervisors expect:

  • Directors and key function holders — compliance, AML, risk — who are qualified, available, and actually doing the job described. Key holders are interviewed in most jurisdictions, individually.
  • Local substance proportionate to the business: a real office, resident management, decision-making where the licence lives. The era of approving thin files and checking later is over in every serious EU jurisdiction.
  • A three-lines model scaled to the firm: business ownership of risk, a compliance and risk function with independence and a budget, and an audit arrangement — internal, outsourced, or both.
  • IT, security, and outsourcing documentation that matches how the product is actually built, including where the BaaS, processing, and cloud partners sit, with exit plans for the critical ones.

The hiring sequence that works: compliance and MLRO hired before filing, not promised after. Their fingerprints on the policies are visible to an experienced reader, and their interviews carry the file.

Where founders typically file

  • Lithuania built the largest EMI cluster in the EU on a responsive central bank and direct access to SEPA infrastructure through CENTROlink — still a practical route, now with hardened substance and governance expectations.
  • Ireland and the Netherlands suit better-capitalised applicants with longer timelines and a preference for supervisory prestige with banks and partners.
  • Luxembourg fits products adjacent to funds and institutional flows.
  • Malta and Cyprus remain workable where the model fits the local supervisor's appetite, with banking access the question to answer first.
  • The UK is its own track post-Brexit: an FCA EMI authorisation with no EU passport, chosen for the UK market on its own merits.

The right answer is a function of banking access, where the team genuinely sits, the supervisor's temperament toward the specific model, and timeline tolerance — not a league table. The cheapest jurisdiction on paper is usually the one that costs the most in question rounds.

Timeline and the application file

A realistic EMI authorisation runs six to twelve months from a complete file, with variance driven by file quality and the queue. The file itself, in rough order of supervisory attention:

  • Regulatory business plan: the model, the markets, the flows, the numbers — internally consistent and stress-tested.
  • Safeguarding arrangement, contractual at filing.
  • Governance pack: structure, key people, fit-and-proper documentation, recruitment plan for the gaps.
  • Capital evidence and the funding plan behind the projections.
  • Policies that read like the company wrote them: AML/CTF, safeguarding, outsourcing, ICT and security, complaints, conduct.
  • Programme of operations mapping each service to its operational reality.

Operating shape after authorisation

Authorisation starts the relationship rather than ending it: periodic regulatory reporting, audited safeguarding, capital monitoring against the float, AML programme execution with inspections in the early years, and notification duties for changes in ownership, outsourcing, and the business plan. The standing cost of the compliance function — people, tooling, audit — is a permanent line item, typically the second-largest after payroll for the product itself. Budget it as the business model, because for an EMI it is.

Common reasons EMI applications stall

The same handful of findings accounts for most lost months across jurisdictions:

  • Safeguarding as an intention. "We are in discussions with several banks" is the single most common completeness failure. The arrangement must be contractual, with the account structure on paper.
  • Key hires promised, not made. The MLRO "to be recruited post-authorisation" stops the interview stage cold — there is no one to interview.
  • Projections tuned for investors. Hockey-stick growth without the compliance staffing that growth implies reads as a control failure in advance. Supervisors fund-check the cost lines, not the revenue lines.
  • Outsourcing that obscures the institution. If the BaaS partner runs onboarding, the processor runs payments, and the cloud provider runs everything else, the application must still show what the EMI itself controls — and it must be enough to be the institution. Files where the licence-holder is functionally a brand wrapped around vendors get rebuilt under questioning.
  • Ownership opacity. Every layer between the licence and the natural persons at the top adds a question round. Trusts, nominee arrangements, and token-linked entities need pre-written explanation memos with documents attached.
  • Inconsistency between chapters. The volumes in the business plan, the AML risk assessment, and the capital model must be the same numbers. One reconciliation read before submission saves a quarter.

Passporting and scaling after authorisation

The EEA passport is a notification process, not a second authorisation: the home supervisor forwards service notifications to host states on regulatory timelines measured in weeks per market. Practical sequencing:

  • Notify the launch markets at authorisation rather than all thirty: each live market adds host-state conduct expectations, complaint channels, and sometimes registration formalities worth absorbing gradually.
  • Agents and distributors extend reach without new licences, but each agent is onboarded into the EMI's own programme and reported to the register — an operational pipeline to build once and run continuously.
  • Material new products, corridors, or outsourcing arrangements after authorisation trigger notification or approval duties. The discipline of treating the regulator as a standing counterparty — informed early, surprised never — is what keeps the scaling phase administrative rather than adversarial.
  • The float's growth drives the own-funds requirement mechanically. Finance should re-forecast the 2% calculation quarterly and treat the capital raise lead time as part of the compliance calendar.

What the first year of operations looks like

Plan the post-authorisation year as a programme, not an afterthought:

  • Quarter one: regulatory reporting calendar stood up, safeguarding reconciliations running daily with evidence retained, board and committee cadence operating as filed.
  • Quarter two: first internal audit or compliance monitoring cycle against the approved policies; gaps logged and remediated with dates.
  • Quarter three: realistic assumption of first supervisory touchpoint — a thematic questionnaire, a safeguarding attestation, or an early AML inspection depending on jurisdiction.
  • Quarter four: business-plan variance review against what was authorised; notify material drift before the annual report reveals it.

Institutions that run this calendar treat their first inspection as a walkthrough. Institutions that planned only to launch treat it as an emergency.

Questions founders ask

Can we start on someone else's licence and migrate later?

Yes, and many should. Launching as an agent or programme of an existing EMI validates the product while the own-licence file is built. The migration itself needs planning — client communication, float transfer, BIN migration — but it is a known path.

Is the float ours to invest?

No. Safeguarded funds are protected for clients; the permitted investment options are deliberately narrow and low-risk. The float is a trust-like liability, not working capital — the business model earns on payments economics, not treasury.

How much does the whole project cost?

As a planning envelope: €350,000 capital, plus advisory and filing costs, plus the standing compliance function from before filing, plus the safeguarding bank relationship. Companies that budget only the capital figure discover the rest during assessment, with the clock running.

EMI or bank licence, eventually?

Different animals. The EMI is the right vehicle for payments and stored value at scale; a credit institution licence becomes relevant when deposits and lending are the model. Some EMIs graduate; most never need to.

The practical advice that survives every jurisdiction choice: solve banking and safeguarding first, hire compliance before filing, write the file around the real operating model — and treat the supervisor as a long-term counterparty from the first meeting, because that is what they are.

Ready-made EMI platforms, transfer-ready

Authorised EMIs with banking, card memberships and compliance files in place — for when the twelve-month application path is the wrong trade.

Editorial disclaimer

This article is general information only and is not legal, regulatory, tax, investment, or financial advice.

Need this guide turned into a decision?

Send SKY7 the product model, customer geography and launch timing. You get a route memo back: two or three workable jurisdictions, the capital and timeline for each, and which file we would open first.

Sofia Reinholt

Sofia Reinholt covers EU electronic money and payment institution authorisations for SKY7, including EMI, PI, API and SPI perimeter questions. Her work focuses on substance, safeguarding, own-funds, conduct controls, outsourcing and the practical evidence a buyer needs before relying on a seller-provided licence file. Sofia compares ready-made opportunities with new-authorisation timelines, separates EEA passporting from local permissions, and flags when a headline claim needs regulator, bank or scheme confirmation. Her articles are written for founders, acquisition teams and regulated operators that need a sober view of what can transfer, what must be notified, and which operating assumptions should be tested before signing or submitting a change-of-control package.