Payment Institution Licence in the EU: What It Takes

A PSP launch rarely fails because the product is weak. It fails because the licensing plan is vague, the compliance build is undercooked, and banking partners do not believe the business can control risk at scale.

If you are considering a payment institution licence in the EU, the core question is not “Can we get authorised?” It is “Can we get authorised on a timeline that matches our commercial runway, and will that authorisation be bankable and durable once we start processing?”

What a payment institution licence in the EU actually is

Under PSD2, a payment institution (PI) is an authorised firm that provides payment services such as executing credit transfers, card payments, acquiring, money remittance, or initiating payments. A PI licence is not a general fintech badge. It is a regulator-approved operating model that needs to work day-to-day: governance, safeguarding, AML, outsourced providers, IT security, complaints handling, and reporting.

Two practical points matter immediately.

First, “passporting” is only useful when the home licence is credible. If your compliance model looks like it was assembled to tick boxes, counterparties and banks in other Member States will treat you as high risk, even if you have passport rights.

Second, PSD2 authorisation is not a shortcut around AML expectations. Payment firms sit in the middle of fraud, sanctions, mule networks, and scam typologies. Regulators will assess whether your controls match your risk, not whether you can quote the rules.

PI vs EMI: choosing the right permission set

Founders often start with “payment institution licence EU” as the default, then realise their business model is closer to e-money. The distinction matters because it drives capital, safeguarding, financial reporting, and what you can issue.

A PI can provide payment services, but it cannot issue e-money. If your product includes stored value, wallets, prepaid accounts, or “balance” functionality that users can hold and later spend, you may be in EMI territory. EMIs can issue e-money and provide payment services, but they come with higher regulatory expectations and, typically, higher capital requirements.

There is no universal best choice. A PI can be the right tool for acquiring, PIS/AIS models, or remittance-like flows where you do not hold value beyond execution. An EMI may be unavoidable if you want wallets, IBAN-like accounts, or long-term balances. The key is aligning the authorisation to your product roadmap, not just the MVP.

The regulator will assess your “operating truth”, not your pitch deck

A strong application is not a marketing narrative. It is a coherent description of how money, data, and accountability move through your business.

Regulators typically focus on five areas that determine whether a PI is controllable:

Governance and substance

They will look for real decision-making in the licensing jurisdiction: directors with relevant experience, clear reporting lines, and a compliance function that is independent enough to challenge the business.

Substance is also practical. If your entire team is elsewhere and the local entity exists only on paper, you are building friction into every regulator interaction, and often into banking.

Safeguarding of client funds

Safeguarding is not a paragraph in a policy. It is your daily reconciliation, segregation approach, and the specific safeguarding accounts and institutions you will use.

The trade-off is that safeguarding design affects your commercial agility. Some models are simpler but constrain treasury operations. Others are more flexible but require stronger controls and reconciliation capabilities.

AML/CTF and fraud controls

Expect scrutiny on risk assessments, onboarding, monitoring, sanctions screening, transaction monitoring scenarios, escalation, and SAR workflows.

If you serve crypto-adjacent clients, high-risk geographies, iGaming, adult, or certain cross-border corridors, your “risk appetite” cannot be aspirational. It needs to be expressed in concrete acceptance rules, monitoring logic, and resourcing.

Outsourcing and third parties

Most payment firms rely on processors, KYC vendors, cloud providers, customer support centres, and sometimes white-label programme managers.

Regulators will want clear contracts, oversight processes, audit rights, and exit plans. Outsourcing can speed up delivery, but it also increases failure points. If your critical functions are outsourced and you cannot demonstrate oversight, the application can stall.

ICT and security

Operational resilience is no longer a back-office afterthought. Between GDPR expectations, PSD2 security requirements, and the reality of fraud attempts, you need clear controls: access management, incident response, logging, data retention, and business continuity.

If you are also preparing for DORA-style resilience expectations, build with that end state in mind. Retrofitting controls after authorisation is expensive and creates reporting risk.

Timelines: what you can control and what you cannot

Licence timelines vary widely across the EU. Some authorities are faster and more predictable; others have longer cycles, deeper back-and-forth, and heavier demands on local substance.

You cannot control regulator queues, but you can control the two factors that most often turn a “standard timeline” into a painful one: application quality and readiness.

Readiness means your internal answers do not change every two weeks. If your safeguarding bank is “to be confirmed”, your MLRO is “in discussion”, your outsourcing model is “finalising”, and your product scope is still moving, the regulator will see a business that is not stable enough to supervise.

Application quality means consistency. Financial forecasts must match your business model. The compliance framework must match your risk assessment. Your organisational chart must match who actually does the work. Contradictions are one of the fastest routes to repeated questions and credibility loss.

Costs and capital: commercial clarity beats optimism

Budgeting for a PI licence is not just about legal fees. It is the full build: local staffing or directors, compliance resourcing, policies and procedures, technology controls, audits, office and substance, and the cost of maintaining the licence post-authorisation.

Capital requirements depend on the payment services you provide and your volumes. The strategic point is simpler: regulators and banks want to see that the firm can absorb shocks. If your plan assumes profitability too early, or your runway does not cover a realistic authorisation window plus early operating losses, you are creating a licensing risk.

Be direct about your funding position and how you will sustain compliance. Under-resourcing compliance is not a saving. It is a delay, an enforcement risk, or a bank account closure waiting to happen.

Why PI applications get rejected or dragged out

Most failures are preventable. They usually stem from one of three problems.

The first is a mismatch between the stated model and the actual flow of funds. For example, claiming you will never hold client money, while your user journey clearly creates interim balances, or your settlement cycle implies custody. Regulators catch this quickly.

The second is governance theatre: impressive CVs but no evidence of how oversight works in practice, or a compliance function that reports into sales. If the control functions lack authority, the regulator will not believe the firm can say “no” to risky revenue.

The third is outsourcing without control. If critical services are outsourced and your oversight is “we will rely on the provider”, you are effectively asking the regulator to supervise your vendor for you.

Faster routes to market: when build-from-scratch is not the best answer

Sometimes the licence is not the bottleneck you can afford. If your commercial window is tight, you have two alternative routes, each with trade-offs.

One route is acquiring or taking over a ready-made regulated entity. This can reduce time-to-market, but only if due diligence is rigorous. You need to assess historic compliance, any remediation obligations, regulator relationship quality, outsourcing contracts, and whether the permission scope fits your intended activity. A “licensed shell” with weak controls is not a shortcut. It is inherited risk.

Another route is partnering with an existing licensed firm as an agent or programme partner while you pursue your own authorisation. This can validate the product and generate revenue, but it also creates dependency, margin pressure, and limits on product design.

The right answer depends on your runway, investor expectations, and how much control you need over customer experience and unit economics.

Jurisdiction selection: pick for supervision, not just speed

A common mistake is selecting a country based on headline licensing timelines alone. Your real-world outcomes depend on how the authority supervises, what it expects for local presence, and how your target banking partners perceive that jurisdiction.

If you plan to serve higher-risk verticals, you should also consider how comfortable the regulator is with your customer base and transaction profiles. Some jurisdictions are pragmatic with complex models if the controls are strong. Others are more conservative, meaning the same model that passes in one country becomes a multi-round negotiation in another.

This is where execution quality matters. A well-prepared application in a reasonable jurisdiction can outperform a rushed application in a “fast” jurisdiction.

How to approach the project so it stays on track

Treat the licence as a build programme with legal, compliance, operations, and technology tracks running in parallel.

Start with a precise scope statement: which payment services, which customer types, which geographies, which flows, and what you will not do in year one. Then build the risk assessment to match that scope, and only then build policies, monitoring, safeguarding, and resourcing.

If you want predictable outcomes, avoid tiered, vague consulting packages that leave you filling gaps late in the process. Firms that operate in regulated markets need end-to-end accountability, including the difficult parts: regulator Q&A, remediation, and making the model bankable. For teams that want a single execution partner from jurisdiction selection through application and operational readiness, NUR Legal typically supports the full licensing and compliance build, including ready-made options where speed is the priority.

A payment institution licence is not just a permit to process payments. It is the foundation for trust with regulators, banks, card schemes, and counterparties. Build it like you plan to be supervised for years, because you will be.

If you want one practical north star, use this: design a model you can explain in ten minutes, evidence in documents, and operate on a bad day when fraud spikes and a key vendor is down. That is the version of your business that gets authorised, and stays authorised.