EU Payment Institution Licence: How to Get Authorised in Europe (2026)
- Apr 10
- 19 min read
Updated: 2 days ago
Quick summary. An EU Payment Institution (PI) licence is the PSD2 authorisation that lets a non-bank firm provide regulated payment services across the European Economic Area. Initial capital is €20,000, €50,000 or €125,000 depending on services (these are statutory minimums set by PSD2). Authorisation takes 6 to 9 months in Lithuania, 8 to 12 months in Ireland, Netherlands and Luxembourg, and 12 to 18 months in Germany. The licence passports across all 27 EU Member States. PSD3 and the new Payment Services Regulation will reshape the regime in 2026 to 2027.
Quick answers
A Payment Institution (PI) licence is the EU authorisation that allows a non-bank firm to provide regulated payment services across the European Economic Area under the Second Payment Services Directive (PSD2). It is the most common fintech licence in Europe, sitting between a bank charter and an agent registration. Once issued by the home Member State competent authority, it can be passported across the entire EEA without further authorisation. This guide covers the full 2026 picture: the PSD2 framework, the eight regulated services, capital and own funds, safeguarding, EU passporting, the choice of jurisdiction (Lithuania, Ireland, the Netherlands, Malta, France, Germany, Luxembourg), the application process, why applications are increasingly refused, and the PSD3 and Payment Services Regulation (PSR) transition that will reshape the regime in 2026 to 2027.
What is a Payment Institution under PSD2?
A Payment Institution is a non-bank legal person authorised under Article 11 of PSD2 to provide one or more of the eight regulated payment services listed in Annex I of the Directive. The PI regime was created by the original Payment Services Directive in 2007 to open the EU payments market to non-bank competition and was substantially expanded by PSD2 in 2018 to include payment initiation services (PIS) and account information services (AIS).
A PI can provide every payment service under PSD2 Annex I but cannot issue electronic money: stored-value, prepaid cards and digital wallet balances require an Electronic Money Institution (EMI) licence under the Second Electronic Money Directive (2009/110/EC). A PI cannot take deposits or lend on its own account: those activities are reserved for credit institutions under the Capital Requirements Directive. Funds held by a PI for the execution of payment transactions must be ring-fenced (safeguarded) and cannot be used for the firm's own account or for lending, except for short credit tightly linked to a payment transaction.
A lighter "small PI" regime exists at national level for firms below a turnover threshold, generally €3 million average monthly payment volume. Small PIs face lower capital, lighter reporting and a simpler authorisation process, but they cannot passport into other EEA Member States. Whether a small PI regime is available depends on the Member State: it exists in the UK (as the Small Payment Institution registration), Lithuania, Belgium, France and a handful of others, but not in every jurisdiction.
The Account Information Service Provider (AISP) registration is a separate, lighter regime under PSD2 Article 33 for firms providing only account information services. AISPs face no initial capital requirement but must hold appropriate professional indemnity insurance covering both their potential liability to account servicing payment service providers (ASPSPs) and to the customers whose accounts they access.
The eight regulated services under PSD2 Annex I
PSD2 Annex I sets out the eight regulated payment services. A PI applies for authorisation in respect of one or more of these services and is permitted to provide only the services for which it has been authorised. The services are:
Services enabling cash to be placed on a payment account and the operations required for operating a payment account.
Services enabling cash withdrawals from a payment account and the operations required for operating a payment account.
The execution of payment transactions, including direct debits, payment card transactions and credit transfers, where the funds are covered by the user's payment account.
The execution of payment transactions where the funds are covered by a credit line, including direct debits, card transactions and credit transfers.
The issuing of payment instruments and the acquiring of payment transactions (merchant acquiring).
Money remittance.
Payment initiation services.
Account information services.
The choice of services drives the rest of the application. It dictates the initial capital tier, the ongoing own funds calculation, safeguarding obligations, IT and operational requirements, and the depth of regulator scrutiny. Applicants are typically asked to justify why each service is needed for the business model and how it will be delivered in practice. Speculative or "umbrella" permissions tend to be challenged.
Initial capital and ongoing own funds
PSD2 Article 7 sets three initial capital tiers, calibrated to the highest-capital service in the licence scope. The tiers are €20,000 for money remittance only; €50,000 for payment initiation services; and €125,000 for the execution of payment transactions, the issuing of payment instruments, merchant acquiring and any combination involving those services. Capital must be paid up in cash, fully unencumbered and held in a credit institution within the EEA at the point of authorisation. AISPs face no initial capital requirement but must hold professional indemnity insurance.
Ongoing own funds are calculated under one of four methods set out in PSD2 Article 9: Method A (a percentage of fixed overheads, typically applied in the early years); Method B (a tiered percentage of total payment volume, the most commonly applied method for established PIs); Method C (a percentage of relevant indicators including interest income, commissions and other operating income, calibrated by a risk multiplier from 0.5 to 1.5); and Method D (a separate calculation specific to PISPs and AISPs reflecting their different risk profile). The competent authority assigns the method during authorisation having regard to the firm's business model and risk.
Own funds must be reviewed at every reporting date and any shortfall must be remediated immediately. Persistent breach is a serious supervisory issue and can lead to permission restriction or, in extreme cases, withdrawal of authorisation.
Safeguarding under PSD2
PSD2 Article 10 requires Member States to ensure that PIs safeguard customer funds received for the execution of payment transactions. There are two permitted methods: segregation in a dedicated account at a credit institution (or in low-risk secure assets defined by the European Banking Authority), or coverage by an insurance policy or comparable guarantee from a credit institution or insurance undertaking that is not part of the same group.
Implementation of Article 10 has historically varied across Member States. Lithuania, Ireland and the Netherlands have applied a relatively prescriptive approach with daily reconciliation expectations and clear safeguarding bank requirements. Other jurisdictions have been lighter touch. Following high-profile EMI failures in 2020 to 2023 (most notably Wirecard) and the UK's introduction of the prescriptive PS25/12 / CASS 15 regime in 2026, several EU regulators are reviewing their safeguarding rules. PSD3 and the PSR will harmonise safeguarding requirements substantially upwards across the EU, requiring daily reconciliation, statutory protection of client funds and enhanced reporting (see "PSD3 and the PSR" below).
Firms applying for a PI licence in 2026 should plan for the higher post-PSD3 safeguarding standard rather than the current Article 10 minimum, even where the local regulator has not yet formally adopted the higher standard. The transition cost of building once for the future regime is significantly lower than the cost of rebuilding mid-cycle.
The EU passport
Once authorised, a PI can passport its services across the entire EEA under either of two routes set out in PSD2 Articles 28 and 29: freedom to provide services (cross-border services from the home Member State without local establishment) or freedom of establishment (a local branch, agent or distributor in the host Member State). Passporting is a notification, not a second authorisation: the home regulator reviews the notification and forwards it to the host regulator, which has one month to respond. The host regulator can refuse or condition passporting only on narrowly defined grounds (typically AML or consumer protection concerns).
The passport is the central commercial benefit of an EU PI licence. A firm authorised in Lithuania can serve customers in Germany, France, Italy, Spain and every other EEA country without seeking local authorisation, subject to compliance with local conduct rules and AML supervision in the host state. The European Banking Authority maintains a central register listing every authorised PI and EMI in the EEA, including their passporting status, which is the authoritative source of public information on cross-border activity.
PIs can also work through agents (registered with the home regulator and listed in the EBA Central Register) and distributors (for EMIs only). Agents do not need their own licence but must meet fit-and-proper standards and operate under the principal PI's responsibility. The principal is fully accountable for the agent's conduct and AML compliance, and many regulators apply heightened scrutiny to agent-heavy models.
Choosing the right Member State
Every EEA regulator applies the same PSD2 Directive, but the experience of getting authorised, the operating environment after authorisation and the ecosystem of supporting infrastructure vary substantially. The choice of Member State for a new PI is one of the most consequential strategic decisions in the entire authorisation project. The factors that matter most are: regulator approachability and predictability, language of process, published timelines, fintech experience, banking access for safeguarding, talent pool, substance expectations, ongoing supervisory style, and corporate environment.
The leading jurisdictions for new PI authorisations in 2026 are as follows.
Lithuania is the fintech licensing leader of the EU by volume and has been since the post-Brexit reorganisation of the European fintech market in 2017 to 2020. The Bank of Lithuania conducts the authorisation process in English, publishes a six-month timeline for complete files, operates a newcomer programme that includes pre-application engagement, and runs a regulatory sandbox. Lithuania has the largest population of authorised PIs and EMIs per capita in the EU, deep talent pool in Vilnius and Kaunas, and established safeguarding banking arrangements (notably with Citadele, SEB and several specialist EU banks). Substance requirements include a Lithuanian-resident senior manager, real local office and meaningful local headcount; "letterbox" arrangements are increasingly challenged. Lithuania has tightened its supervisory approach since 2022 following several high-profile EMI failures and is no longer the easiest jurisdiction in the EU, but it remains the most efficient for a serious applicant.
Ireland is the second most prominent fintech licensing jurisdiction in the EU and the natural choice for English-speaking firms with North American or UK heritage. The Central Bank of Ireland conducts the process in English, publishes a target timeline of six months but in practice typically takes eight to twelve months for complete files. Ireland's authorisation standard is among the highest in the EU: governance, senior manager experience and operational substance are tested rigorously, and many firms find Ireland materially harder than Lithuania. The trade-off is a strong operating environment post-authorisation, deep banking infrastructure, an excellent talent pool in Dublin and a corporate framework familiar to international groups.
The Netherlands is increasingly chosen by firms with a mainland European focus. De Nederlandsche Bank (DNB) is a sophisticated, well-resourced regulator with a methodical authorisation process and clear written communication. Dutch authorisation typically takes nine to fifteen months for a PI and standards are high. The Netherlands offers excellent banking infrastructure, a strong fintech ecosystem in Amsterdam, and proximity to major European corporate markets. Dutch substance expectations are firm: a real Amsterdam office and local senior management are required.
Malta is a smaller jurisdiction with a long-established financial services sector and a fintech-friendly regulator (the Malta Financial Services Authority, MFSA). Malta offers EU passporting, English-language process, a competitive corporate tax framework and a relatively short authorisation timeline (typically six to nine months). The trade-off is reputational: Malta's appearance on the FATF grey list from 2021 to 2022 (since removed) and several high-profile enforcement matters have resulted in heightened banking caution and supervisory scrutiny across EU regulators where Malta-licensed firms passport in. Malta remains a viable choice for the right model but should be selected with care and with a clear narrative on substance and AML.
France is a serious option for firms with a French-speaking or Southern European customer focus. The Autorité de Contrôle Prudentiel et de Résolution (ACPR), the prudential supervisor, conducts authorisation in French, applies a methodical and demanding process, and typically takes nine to fifteen months. France offers an excellent talent pool, strong banking infrastructure and a sophisticated fintech ecosystem in Paris. The language requirement is real: the authorisation file and ongoing supervisory engagement are conducted in French, and firms without local language capacity should expect this to add significant cost and time.
Germany is chosen by firms with a German-speaking customer focus or a serious commitment to the largest single European market. BaFin conducts authorisation in a hybrid of German and English (with German required for substantive submissions in most cases), applies a rigorous and unhurried process, and typically takes twelve to eighteen months. Germany offers world-class banking infrastructure, a deep talent pool and the largest payments market in continental Europe. Substance expectations are among the highest in the EU.
Luxembourg is selected by firms targeting the wealth management, asset servicing and corporate payment markets. The Commission de Surveillance du Secteur Financier (CSSF) conducts authorisation in English and French, applies a high standard, and typically takes nine to fifteen months. Luxembourg offers an exceptional banking ecosystem, sophisticated regulatory environment and proximity to major asset managers and family offices. Operating costs are higher than in Lithuania or Malta but lower than in London or Paris for the regulated activity itself.
A practical default for most fintech models in 2026 is Lithuania for a fast efficient first authorisation, with the option to add a second authorisation in Ireland, the Netherlands or Germany once the business is established and warrants the additional cost. For asset-servicing or wealth-management adjacent models, Luxembourg is often the better starting point. For B2C consumer fintech with a German-speaking focus, Germany is worth the additional time and cost from the outset.
The application process
Notwithstanding national variation, the PI authorisation process across the EU follows a common structure under the EBA's Guidelines on authorisation and registration under PSD2. The structure is as follows.
Pre-application engagement. Most regulators offer or expect a pre-application meeting in which the applicant presents the business model, target services and proposed governance. Some (Lithuania, Ireland, the Netherlands) have formal newcomer programmes; others (France, Germany) handle pre-application through informal contact. Pre-application engagement is materially valuable: it surfaces issues early and creates a relationship with the regulator before the formal file is submitted.
Application file. The file consists of standardised forms (largely harmonised across the EU under EBA guidelines) and a detailed Programme of Operations and supporting policies. The Programme of Operations is the equivalent of the UK Regulatory Business Plan and is the single most important document: it describes the business model, services, target customers, distribution channels, geographical scope, three-year financial projections, governance, risk framework, AML framework, safeguarding arrangements, IT and information security, operational resilience, and outsourcing. The Programme of Operations for a PI typically runs to 80 to 200 pages plus annexes.
Supporting policies include AML and financial crime policy, sanctions policy, safeguarding policy, risk management framework, capital adequacy assessment, business continuity plan, IT and information security policy, outsourcing policy, complaints handling policy, fraud policy, conflicts policy, governance documentation, fitness and propriety assessments, training policy and record keeping policy.
Senior manager approval. Every proposed senior manager (typically the CEO, CFO, COO, MLRO and head of compliance at minimum) requires individual approval. This involves a CV, statement of responsibilities, evidence of fitness and propriety, and (in most jurisdictions) a personal interview with the regulator. Lithuania, Ireland and the Netherlands all conduct rigorous senior manager interviews; Malta and France are slightly lighter; Germany is among the most rigorous.
Capital evidence. Initial capital must be paid up and held in a credit institution within the EEA at the point of authorisation, evidenced by bank confirmation. In practice, regulators want to see capital paid up before granting authorisation but most accept a "minded to approve" structure where the capital is paid in the final stages.
Information requests. Applicants should expect three to five rounds of information requests during the assessment period. The first round usually arrives four to eight weeks after submission and is normally substantial. Each round of requests pauses the statutory clock under "stop the clock" provisions.
Conditions precedent and authorisation. The assessment concludes with a "minded to approve" letter setting out conditions: typically capital paid up, key hires on board, safeguarding arrangements live, IT systems tested, and any specific commitments confirmed. Authorisation is granted when conditions are satisfied.
Passporting. Once authorised, the PI submits passporting notifications to the home regulator for each Member State where it intends to operate. The home regulator reviews and forwards to the host regulator, which has one month to respond. Passporting can typically begin two to three months after authorisation.
Realistic timelines
PSD2 sets a statutory three-month decision period for a complete application. In practice, end-to-end timelines for a PI in the EU in 2026 are: four to eight weeks of pre-application preparation; six to nine months from submission to authorisation in Lithuania for a well-prepared application; eight to twelve months in Ireland, the Netherlands or Luxembourg; nine to fifteen months in France; and twelve to eighteen months in Germany. Add two to three months for passporting after authorisation.
Stop-the-clock provisions can extend the assessment period substantially. Each round of regulator information requests pauses the statutory clock and resumes only when the applicant submits a complete response. In a heavily challenged file, the cumulative stop-the-clock can add six months or more to the published timeline.
The single biggest controllable variable, as in the UK, is application quality at submission. A polished, complete file dramatically reduces information request rounds and the regulator's deep-dive scrutiny.
Common reasons for refusal or forced withdrawal
European regulators have tightened gateway standards in parallel with the FCA since 2022, partly in response to high-profile EMI and PI failures (Wirecard, Railsr, the Banking Circle of Lithuania matter, several smaller events) and partly under pressure from the European Banking Authority. Refusal and withdrawal rates vary by Member State but the patterns are consistent.
The most common reasons for refusal or forced withdrawal across the EU are: thin or generic Programmes of Operations that read as templates; weak governance with insufficiently experienced senior managers, particularly in compliance and risk; AML frameworks that are off-the-shelf and not calibrated to the business model; capital plans that do not survive stress testing; senior managers who fail fitness and propriety because of past conduct, weak experience or unconvincing interview performance; and, increasingly, "letterbox" arrangements where the firm's substance is largely in another jurisdiction. Lithuania in particular has been explicit since 2023 that it will refuse applicants who cannot demonstrate genuine local substance.
Where the regulator forms a view that the application is unlikely to succeed, it generally suggests withdrawal rather than proceed to refusal. Withdrawal is preferable to a published refusal but neither is desirable: rebuilding an application after withdrawal typically takes six to twelve months and the firm's track record in the home Member State is now part of its file. Reapplying in a different Member State is possible but the second regulator will request the prior application file as part of fitness and propriety review.
DORA: the digital operational resilience requirement
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has applied to PIs and EMIs from 17 January 2025. DORA is a comprehensive operational resilience and ICT risk management framework covering five pillars: ICT risk management (a board-owned framework, written policy, risk assessment and ongoing monitoring); ICT-related incident reporting (classification, root cause analysis and reporting to the competent authority for major incidents); digital operational resilience testing (vulnerability assessments, penetration testing and threat-led penetration testing for significant firms); third-party ICT risk management (contractual standards, register of ICT third parties, exit strategies); and information sharing.
DORA is fully in scope for any PI authorisation in 2026 and the documentation must be in the application file. Firms applying for authorisation now should expect detailed regulator examination of DORA compliance, particularly around ICT third-party risk management (which is structurally challenging for fintech firms heavily reliant on cloud and SaaS providers).
PSD3 and the Payment Services Regulation
The European Commission published the PSD3 Directive and Payment Services Regulation (PSR) proposals in June 2023. The Council and the European Parliament reached a provisional political agreement in 2025 and national transposition is expected eighteen months after entry into force. The PSR will be directly applicable across the EU without national transposition. Plan for applicability around 2026 to 2027.
PSD3 and the PSR introduce several material changes for PIs.
A single licence regime will merge the PI and EMI authorisations into a single "payment institution" authorisation, with electronic money treated as a sub-category of payment services. Existing EMIs and PIs will be grandfathered into the new regime but will need to refresh certain elements of their authorisation file within a transition window.
Mandatory IBAN-name verification (often called "Verification of Payee", VoP) will require PIs to verify that the payee name supplied by the payer matches the name registered against the destination IBAN before executing a credit transfer. This applies to all SEPA credit transfers and is intended to reduce authorised push payment fraud.
Expanded liability for authorised push payment fraud will require PIs to reimburse customers in defined circumstances, broadly aligning the EU regime with the UK APP fraud reimbursement scheme that has been mandatory since October 2024.
Stronger access rights to credit institution accounts will require credit institutions to provide payment accounts to PIs unless there are objective grounds for refusal (such as AML concerns). This addresses the operating reality that many PIs and EMIs have struggled to obtain or retain banking relationships, particularly in jurisdictions where local banks are conservative.
Tightened safeguarding requirements will substantially harmonise the EU safeguarding regime upwards, requiring daily reconciliation, enhanced reporting and stronger statutory protection of customer funds. The detail will be set out in technical standards under PSR Article 9 and is expected to be broadly comparable to the UK's CASS 15 regime in operational substance.
Strengthened conduct rules will move from the Directive into the directly applicable Regulation, ensuring uniform application across Member States and reducing the scope for divergent national interpretation.
Firms applying for a PI licence in 2026 should plan for these changes rather than design only for the current PSD2 regime. Building infrastructure that survives the PSD3 transition is significantly cheaper than rebuilding mid-cycle.
How Buckingham Capital Consulting can help
Buckingham Capital Consulting has advised payment institutions and electronic money institutions on regulatory licensing across the United Kingdom and Europe since 2013, well before the introduction of PSD2, the post-Brexit fragmentation of the European fintech market and the new safeguarding and operational resilience regimes that define the 2026 landscape. Over the past 13 years we have authorised and registered hundreds of firms across multiple EU jurisdictions, spanning Authorised Payment Institutions, Small Payment Institutions, Account Information Service Providers, Authorised and Small Electronic Money Institutions, merchant acquirers, money remitters, payment initiation service providers, open banking firms and corporate payment platforms.
Our team has direct, repeated experience with the Bank of Lithuania, the Central Bank of Ireland, De Nederlandsche Bank and the Dutch AFM, the Malta Financial Services Authority, the French Autorité de Contrôle Prudentiel et de Résolution, the Luxembourg Commission de Surveillance du Secteur Financier, BaFin and the FCA. This breadth gives us a practical understanding of how each competent authority approaches PI applications, what each regulator challenges at the gateway, where each regulator is more or less efficient, and what each expects from authorised firms post-authorisation.
We manage the full Payment Institution authorisation process across Europe as a single engagement. This includes business model and licence-scope assessment, jurisdiction selection based on the firm's target markets, customer base, talent and tax considerations, EU company incorporation and substance arrangements, preparation of the complete application file including the Programme of Operations, governance and senior manager framework, AML and financial crime programme, safeguarding policy aligned to current PSD2 and the forthcoming PSR, DORA-compliant ICT risk management documentation, IT and information security policy, capital adequacy calculations, three-year financial projections, fitness and propriety assessments, appointment of the MLRO and other approved persons, management of all regulator correspondence and information requests, EU banking introductions and safeguarding account opening, and post-authorisation passporting notifications across the EEA.
For existing PIs and EMIs preparing for the PSD3 and PSR transition, we conduct a gap analysis against the new regime and project-manage the upgrade. For groups maintaining parallel UK and EU authorisations following Brexit, we coordinate the two regimes to minimise duplication and ensure consistent governance, AML and safeguarding standards across both. After authorisation, we provide ongoing compliance support including safeguarding oversight, regulatory reporting, policy updates, governance reviews and preparation for supervisory engagement.
If you are planning to apply for an EU Payment Institution licence, choosing between Member States, considering a UK and EU dual-licence structure, or preparing for the PSD3 and PSR transition, contact our team for an initial assessment.
Email: info@buckinghamcapitalconsulting.co.uk Tel: 0207 866 2512
Frequently asked questions
Which EU country is the easiest for a fintech to obtain a Payment Institution licence in 2026? Lithuania remains the most efficient EU jurisdiction for a serious fintech applicant. The Bank of Lithuania conducts the process in English, publishes a six-month target timeline for complete files, runs a newcomer programme and a regulatory sandbox, and has the largest fintech ecosystem in continental Europe. Lithuania has tightened its standards since 2022 and "easy" no longer means "lenient": substance is firmly required and weak applications are refused. Ireland, the Netherlands and Malta are credible alternatives. The optimal jurisdiction depends on the target market, talent location, banking access and tax framework, not on shopping for the lightest gateway.
How long does it take to get a Payment Institution licence in the EU? PSD2 sets a statutory three-month decision period for a complete application. Realistic end-to-end timelines in 2026 are six to nine months in Lithuania, eight to twelve months in Ireland, the Netherlands and Luxembourg, nine to fifteen months in France, and twelve to eighteen months in Germany. Add four to eight weeks for application preparation before submission and two to three months for passporting after authorisation. Stop-the-clock provisions during information request rounds can extend the assessment significantly.
What is the initial capital required for a Payment Institution licence in the EU? PSD2 sets three initial capital tiers: €20,000 for money remittance only, €50,000 for payment initiation services, and €125,000 for the execution of payment transactions, the issuing of payment instruments and merchant acquiring. Where services span multiple tiers, the highest tier applies. Capital must be paid up in cash, fully unencumbered and held in an EEA credit institution at the point of authorisation. Account Information Service Providers face no initial capital requirement but must hold professional indemnity insurance.
What is the EU passport and how does it work? The EU passport is the right of an authorised PI to provide services across the entire European Economic Area without further authorisation. Once authorised in the home Member State, the PI submits passporting notifications to the home regulator for each country where it intends to operate, under either freedom to provide services (cross-border without local establishment) or freedom of establishment (a local branch, agent or distributor). The home regulator reviews and forwards to the host regulator, which has one month to respond. Passporting is a notification, not a second authorisation, and is the central commercial benefit of an EU PI licence.
What is the difference between a Payment Institution and an Electronic Money Institution in the EU? A Payment Institution provides regulated payment services under PSD2 but cannot issue electronic money. An Electronic Money Institution is authorised under the Second Electronic Money Directive to issue electronic money, including stored-value, prepaid cards and digital wallet balances, and can also provide all the services of a PI. EMIs face higher initial capital requirements (€350,000 minimum) and ongoing own funds calibrated to e-money in issue. Under PSD3 the two regimes will merge into a single payment institution authorisation with electronic money treated as a sub-category of payment services.
What is PSD3 and the PSR and when will they apply? PSD3 is the proposed Third Payment Services Directive and the PSR is the proposed Payment Services Regulation, published by the European Commission in June 2023. The Council and European Parliament reached a provisional agreement in 2025 and applicability is expected in 2026 to 2027 following national transposition (PSD3) and direct application (PSR). The package merges PI and EMI authorisations into a single licence, introduces mandatory IBAN-name verification, expands authorised push payment fraud liability, strengthens PI access to credit institution accounts and tightens safeguarding requirements substantially.
Does a UK firm need a separate EU Payment Institution licence after Brexit? Yes. PSD2 passporting between the UK and the EU ended on 31 December 2020. A UK Authorised Payment Institution that wishes to provide services into the EEA must obtain a separate authorisation in an EU Member State and operate that authorisation in parallel with the UK licence. Lithuania, Ireland and the Netherlands are the most common choices. Many UK fintechs operate dual UK and EU authorisations, with consistent group-wide governance, AML and safeguarding standards but separate legal entities and capital pools.
What does DORA require of payment institutions in 2026? The Digital Operational Resilience Act has applied to PIs and EMIs since 17 January 2025. DORA requires a comprehensive ICT risk management framework owned by the board, written policies, ICT risk assessment, incident classification and reporting, regular operational resilience testing including (for significant firms) threat-led penetration testing, contractual standards for ICT third parties, a register of ICT third parties, exit strategies for critical providers, and information sharing arrangements. DORA documentation must be in the PI application file from 2026 onwards and is examined in detail during authorisation.
Can a Payment Institution provide consumer credit? A Payment Institution can grant credit only where the credit is short-term, ancillary to a payment service, and not granted out of funds received or held for the execution of payment transactions. This is set out in PSD2 Article 18. Credit beyond this narrow scope requires authorisation as a credit institution under the Capital Requirements Directive, or under national consumer credit regimes. PIs that wish to offer broader credit products typically do so through a separately authorised entity in the same group.
How much does it cost to obtain an EU Payment Institution licence? Cost varies materially by jurisdiction, business model complexity and starting position. The largest components are senior management hiring (a small leadership team is the single biggest line), technology build (covering safeguarding, AML and DORA-compliant ICT), legal and consulting fees, and run-rate to authorisation. Application fees themselves are set by each NCA and are a small fraction of total cost. Lithuania and Malta typically sit at the lower end of the range; Germany, France and the Netherlands at the upper end.
