Introduction
Operating as a payment service provider without proper authorisation isn't a grey area — in the UK, PSRs 2017 Regulation 138 makes it a criminal offence. In the EU, PSD2 Article 37 requires Member States to prohibit unauthorised providers entirely. For non-bank firms wanting to process payments, execute transfers, or initiate transactions on behalf of customers, a Payment Institution (PI) licence is the regulatory gateway.
This guide is written for fintech founders, compliance leads, and startup operators who need to understand PI licensing in practical terms. It covers the actual process, real timelines, and the decisions that determine whether your application sails through or stalls for 18 months — from pre-application preparation through to post-authorisation obligations.
Getting it right the first time matters. Investors scrutinise authorisation status before committing capital. Banking partners won't onboard unlicensed entities. And the licensing clock starts ticking long before your product is ready to launch — which means the firms that struggle most are those who treat compliance as an afterthought.
TL;DR
- A PI license is granted by a national regulator (FCA in the UK, Bank of Lithuania, Central Bank of Ireland, etc.) and authorises non-bank firms to provide regulated payment services under PSD2.
- Two tiers exist: Authorised PI (for scale and cross-border operations) and Small PI (lighter requirements, no EU passport, volume-capped).
- Initial capital ranges from €20,000 to €125,000 depending on services offered.
- Real-world timelines run long: a 2025 EBA peer review found a 9.5-month median EEA process, well beyond the 3-month statutory clock.
- AML/CFT infrastructure and safeguarding account access are the two most common blockers.
What Is a Payment Institution License and Who Needs One?
A PI licence is a regulatory authorisation that lets a non-bank company provide specified payment services without holding a full banking charter. Under PSD2 Annex I, those services include:
- Executing credit transfers and direct debits
- Acquiring card payments
- Money remittance
- Payment initiation services (PIS)
- Account information services (AIS)
- Issuing payment instruments
Any UK or EU company offering these services to the public as a business activity falls under PSD2 (or its national transposition). That covers fintechs, money transfer operators, payment facilitators, open banking platforms, and embedded finance providers.
Operating without a PI licence or registration exposes founders to criminal enforcement — not just regulatory fines.
How PI Differs from EMI and Bank Licences
| Licence Type | Can Issue E-Money | Can Accept Deposits | Can Lend | Minimum Capital |
|---|---|---|---|---|
| Payment Institution | No | No | No | €20k–€125k |
| Electronic Money Institution | Yes | No | No | €350,000 |
| Bank | No | Yes | Yes | Much higher |
A PI covers most payment business models, with lower capital requirements and a faster path to authorisation than a bank charter. The key constraint: it cannot store customer value in a wallet or issue prepaid cards. If your model includes either, you'll need an EMI licence instead — and the requirements change significantly.
Core Requirements to Obtain a Payment Institution License
Capital Requirements
PSD2 Article 7 (and UK Schedule 3 of PSRs 2017) ties the capital threshold to the services being offered:
- €20,000 — money remittance only
- €50,000 — payment initiation services
- €125,000 — transfers, acquiring, direct debits, card issuing
These are initial capital floors, paid up in cash at licensing. GBP equivalents apply in the UK — verify current amounts directly with the FCA, as these aren't published as fixed sterling figures.
Beyond initial capital, licensed PIs must maintain ongoing own funds calculated using Methods A, B, or C under PSD2 Article 9 (not four methods — three). The regulator selects the method. Undercapitalisation here is one of the most common reasons for post-licensing restrictions.
Governance and Fit-and-Proper Requirements
Directors, key function holders, and qualifying shareholders must all pass a fit-and-proper assessment covering:
- Relevant professional experience and qualifications
- Financial history and credit standing
- Criminal record checks
- Absence of regulatory sanctions
Regulators increasingly scrutinise local substance — not just a registered address, but actual staff on the ground. An application with a letterbox office and directors based elsewhere will face hard questions, particularly in EU jurisdictions.
AML/CFT Compliance Framework
A documented AML/CFT programme is non-negotiable. Required components include:
- Written AML policies and procedures
- A designated compliance officer (MLRO in the UK, per MLR 2017 Regulation 21)
- Business-wide risk assessment (UK MLR 2017 Regulation 18)
- Customer due diligence processes
- Transaction monitoring systems
- SAR escalation and reporting workflows
For early-stage startups, this is where applications most commonly stall. Building these from scratch while simultaneously preparing the broader application file is a significant undertaking. Many founders bring in fractional compliance leadership — a fractional MLRO or CCO through a firm like Fraxtional, which covers UK FCA requirements directly including acting as named MLRO on regulatory filings — to build this infrastructure before formal submission rather than hiring full-time too early.
Safeguarding Plan and Business Plan
Two further requirements must be live at authorisation:
- Safeguarding account — Customer funds must be held in a segregated account at a credit institution or covered by an equivalent insurance/guarantee arrangement (PSD2 Article 10, UK Regulation 23). The account must be operational before authorisation is granted.
- Three-year business plan — Regulators expect stressed financial projections, full service descriptions, target markets, and operational flow diagrams. A generic plan will not pass scrutiny.
How to Apply: The PI License Process Step by Step
The process is broadly standardised across EU member states by EBA guidelines (EBA/GL/2017/09), though execution timelines and regulator engagement styles vary by jurisdiction. In the UK, all submissions go through the FCA's Connect portal.
Step 1: Choose Your Jurisdiction
Your home Member State — where the PI's head office and main activities are located — is where the application must be filed. Substance matters. Key options:
- Lithuania — fastest processing (3 months if documents are complete, per Bank of Lithuania guidance), most fintech-friendly
- Ireland — post-Brexit relocation favourite, but the Central Bank of Ireland notes applications can take over 12 months when documentation is deficient
- Malta — strong for higher-risk business models; MFSA statutory clock is 3 months for complete files
- UK (FCA) — major hub with Authorised PI and Small PI regimes; no EU passport post-Brexit
Step 2: Prepare Your Application File
A complete application package includes:
- Programme of operations
- Three-year financial projections with stress scenarios
- Governance charts and organisational structure
- AML/CFT manual and risk assessment
- Internal control and risk management framework
- IT and security risk assessment
- Business continuity plan
- Safeguarding plan
- Fit-and-proper questionnaires for all key persons
File completeness is critical. An incomplete file triggers stop-the-clock queries — and each one adds months to the real-world timeline.
Step 3: Pre-Application Engagement
Regulators across all major jurisdictions expect a pre-application meeting before formal submission. Use it to present your business model, proposed services, capital plan, and safeguarding design. Early feedback prevents avoidable rejections and sets a cooperative tone with the regulator.
Step 4: Submit Formally and Respond to Queries
The statutory review clock under PSD2 is 3 months from a complete file. In the UK, an incomplete application can take up to 12 months. Stop-the-clock queries are the main reason real-world timelines extend to 9 months or beyond — and the quality of your responses matters as much as the original file. Vague, delayed, or inconsistent answers compound the delay.
Step 5: Meet Conditions and Receive Authorisation
Most regulators issue a "minded-to-approve" notice with conditions before granting full authorisation. Typical conditions:
- Capital paid up and evidenced
- Key personnel in place
- Systems tested and operational
- Live safeguarding account documented
Once conditions are met, authorisation is granted. EU authorised PIs can then passport into other EEA jurisdictions via notification under PSD2 Article 28.
Key Factors That Can Make or Break Your Application
Four pressure points consistently determine whether an application clears review or stalls in a back-and-forth cycle with the regulator.
File Quality
The EBA's 2025 peer review found that authorisation timing across the EEA remains directly linked to incomplete or poor-quality applications. Regulators flag:
- Vague or generic business plans
- Inconsistent financial projections
- AML frameworks copied from templates without adaptation
- Governance structures that don't reflect actual operations
Substance and Local Presence
Since 2023, EU regulators have sharply tightened substance requirements. Applicants must demonstrate real operational presence — locally based directors and compliance staff, not just a registered address. Startups trying to license in a low-cost EU jurisdiction while operating entirely from another country face increasing scrutiny on this point.
Safeguarding Account Access
Securing a segregated safeguarding account with a credit institution is harder than most applicants expect. Many banks apply their own due diligence requirements and are reluctant to onboard unlicensed entities.
UK Finance's 2024 response to FCA CP24/20 confirmed that available providers are limited, and FCA data showed approximately 35% of safeguarding firms held relevant funds in accounts at other e-money institutions rather than traditional banks.
Start bank conversations early — ideally before the application is otherwise complete. This is a critical-path dependency, not an afterthought.
PSD3 Transition
Applicants in 2025–2026 apply under PSD2, but the transition to PSD3 and the Payment Services Regulation (PSR) is in progress — the Council agreed its position in June 2025. Regulators are already reviewing files with stronger fraud monitoring, incident reporting, and outsourcing expectations in mind. Under PSD3, e-money institutions will become a sub-category of payment institutions, creating a unified regime.
Design your compliance framework to accommodate these changes now — retrofitting after the fact costs far more than building them in from the start.
Common Mistakes and When a PI License May Not Be Right
Common Misconceptions
A PI license is not a one-time achievement. Post-authorisation obligations include:
- Daily safeguarding reconciliations
- Regular own-funds reporting
- Ongoing AML transaction monitoring
- Regulatory notifications for material changes
- Periodic governance and control reviews
Many applicants also treat compliance as something to build after licensing. That approach will get your application rejected. The AML framework, governance structure, and safeguarding plan are prerequisites for approval — not deliverables for later. Firms that appoint a dedicated compliance lead early, whether full-time or fractional, consistently produce stronger application files.
When to Reconsider
A PI license may not be the right path if:
- Your model requires storing customer value — prepaid cards, wallets, or stored value require an EMI licence
- Your volumes are low and EU access isn't needed — Small PI registration or agent status under an existing licensed institution is faster and cheaper
- You need to begin payment operations immediately — with 9+ month timelines, operating as an authorised agent under an existing PI or EMI licence is a compliant interim route while your own application progresses
- A licensed entity is available to acquire — in some EU markets, acquiring an already-licensed firm is worth exploring with legal counsel
Frequently Asked Questions
Frequently Asked Questions
What is a payment institution license?
A payment institution license is a regulatory authorisation granted under PSD2 (transitioning to PSD3) by a national competent authority. It allows a non-bank firm to provide regulated payment services (transfers, money remittance, acquiring, payment initiation) without the right to take deposits or issue e-money.
How do you get an EMI license in the UK?
The FCA grants EMI licences in the UK, requiring minimum initial capital of €350,000 (verify the current GBP equivalent directly with the FCA). The key difference from a standard PI authorisation is the additional scope to issue and redeem e-money. Applications go through the FCA's Connect portal.
How do you become a Small Payment Institution?
Small PI registration is available to firms processing less than an average of €3 million per month in payment transactions. The application process is lighter than a full Authorised PI, but there is no EU passport and volume limits apply.
What's the difference between the FCA and PRA?
The FCA regulates conduct and authorises payment institutions and EMIs in the UK. The PRA oversees the safety and soundness of systemically important firms — banks, building societies, large insurers. Most fintech payment firms deal exclusively with the FCA.
How much capital do I need for a PI license?
Initial capital under PSD2 ranges from €20,000 (money remittance only) to €125,000 (transfers, acquiring, and card issuing). Ongoing own-funds obligations apply from day one, calculated using Methods A, B, or C — verify current GBP equivalents directly with the FCA.
How long does it take to get a payment institution license?
The statutory review period is 3 months from a complete file, but the EBA's 2025 data shows a 9.5-month median across the EEA. Lithuania processes well-prepared files fastest; Ireland and Germany tend to take longer. How well you prepare the file is the biggest factor you can control.
