UK Payment Institution Licence: How to Get FCA Authorisation in 2026

Quick summary. A UK Payment Institution (PI) licence — formally called Authorised Payment Institution (API) authorisation — is the FCA permission that lets a non-bank firm provide regulated payment services in the UK under the Payment Services Regulations 2017. Initial capital is £20,000, £50,000 or £125,000 depending on services (these are statutory minimums set by the PSRs 2017). A complete application takes 6 to 10 months from submission, plus 4 to 8 weeks of preparation. Approximately 1 in 5 applications is refused or forced to withdraw. The new PS25/12 safeguarding regime is in force from 7 May 2026 and applies to every authorised PI holding customer funds.

Quick answers

• Who needs an API licence?

• How much capital do you need?

• How long does it take?

• What is the FCA application fee?

• Why are 1 in 5 applications refused?

• What is PS25/12?

The Authorised Payment Institution (API) licence is the Financial Conduct Authority (FCA) authorisation that allows a non-bank firm to provide regulated payment services in the United Kingdom. It is the most common UK fintech licence after small payment institution registration, used by merchant acquirers, money remitters, payment platforms, open banking providers and corporate payment firms. This guide covers everything that matters in 2026: the legal framework, the eight regulated services, capital and own funds, the new PS25/12 safeguarding regime in force from 7 May 2026, governance and senior manager expectations, the FCA application process, realistic timelines, why approximately one in five applications now gets refused, and what authorisation looks like in operation.

What is an Authorised Payment Institution?

An Authorised Payment Institution is a firm authorised by the FCA under the Payment Services Regulations 2017 (PSRs 2017) to provide one or more of the eight regulated payment services listed in Schedule 1 Part 1 of those Regulations. The PSRs 2017 transposed the EU's Second Payment Services Directive (PSD2) into UK law and remain in force following the UK's departure from the European Union. The legal framework is therefore substantively aligned with PSD2, although the UK and EU regimes have begun to diverge in specific areas, most notably safeguarding (where the UK's PS25/12 is more prescriptive than current EU rules) and authorised push payment (APP) fraud reimbursement (mandatory in the UK since 7 October 2024, still being legislated in the EU).

An API can provide every payment service permitted under the PSRs 2017, including merchant acquiring, payment execution, money remittance, the issuing of payment instruments, payment initiation services (PIS) and account information services (AIS). It cannot, however, issue electronic money: stored value, prepaid cards and digital wallet balances require an Electronic Money Institution (EMI) licence under the Electronic Money Regulations 2011. An API cannot accept deposits or lend on its own account: those activities are reserved for credit institutions authorised under the Financial Services and Markets Act 2000.

The Small Payment Institution (SPI) regime is a lighter alternative for firms with average monthly payment transactions of no more than €3 million. SPIs face a simpler registration process, no initial capital requirement, no safeguarding obligation (although voluntary safeguarding is strongly recommended) and reduced ongoing reporting. SPIs cannot provide payment initiation services or account information services and cannot passport into the EU.

The Registered Account Information Service Provider (RAISP) regime is a separate, lighter registration available to firms providing only account information services. RAISPs have no initial capital requirement but must hold appropriate professional indemnity insurance.

The eight regulated payment services

The PSRs 2017, Schedule 1 Part 1, define eight regulated payment services. An API applies for authorisation in respect of one or more of these services and is permitted to provide only those services for which it has been authorised. The services are:

Services enabling cash to be placed on a payment account and the operations required for operating a payment account. Services enabling cash withdrawals from a payment account and the operations required for operating a payment account. The execution of payment transactions, including direct debits, payment card transactions and credit transfers, where the funds are covered by the user's payment account. The execution of payment transactions where the funds are covered by a credit line, including direct debits, card transactions and credit transfers. The issuing of payment instruments, including cards and similar devices, and the acquiring of payment transactions (merchant acquiring). Money remittance. Payment initiation services (PIS). Account information services (AIS).

Choice of services drives the rest of the application. It dictates the initial capital tier, the ongoing own funds calculation, the operational and safeguarding requirements, the IT systems required and, in many cases, the level of FCA scrutiny the application will attract. Applicants are routinely asked to justify why each service is needed for the business model and how it will be delivered in practice. Speculative or "in case we need it later" permissions are a common reason for FCA challenge and should be avoided.

Initial capital requirements

The PSRs 2017 set three initial capital tiers for Authorised Payment Institutions, calibrated to the services provided. The tier is determined by the highest-capital service in the licence scope. All capital must be paid up in cash, fully unencumbered and held in a UK credit institution at the point of authorisation.

A money remittance only API requires £20,000 of initial capital. A payment initiation service provider (PISP) requires £50,000. An API providing any of the four "execution" services (services 1 to 4 above), the issuing of payment instruments or merchant acquiring requires £125,000. Where a firm combines services across tiers, the highest tier applies. An AIS-only firm registers as a RAISP and requires no initial capital but must hold professional indemnity insurance covering both its potential liability to account servicing payment service providers (ASPSPs) and to the customers whose accounts it accesses.

These figures are stated in pounds sterling under the PSRs 2017 although they reflect the euro thresholds set out in PSD2 (€20,000, €50,000 and €125,000). Firms applying for an API licence in 2026 should plan for the £125,000 tier in most cases: businesses pursuing the lower tiers tend to have very specific, narrow models, and many remittance-only firms eventually broaden their scope.

Ongoing own funds: Methods A, B, C and D

Initial capital is the threshold to enter; ongoing own funds are the threshold to remain authorised. The PSRs 2017 require an API to hold own funds at all times equal to the higher of the initial capital figure above and the amount calculated using one of four methods, A, B, C or D, set out in Regulation 22 and explained in detail in the FCA's Approach Document. The FCA assigns the method during authorisation, having regard to the firm's business model, scale and risk profile.

Method A is a percentage of fixed overheads and is generally applied to firms in their early years when payment volumes are low. Method B is a tiered percentage of total payment volume, scaling down as volume increases, and is the most commonly applied method for established APIs. Method C is a percentage of relevant indicators (interest income, commissions, other operating income) calibrated by a risk multiplier from 0.5 to 1.5. Method D is a separate calculation specific to PISPs and AISPs, reflecting their different risk profile.

Own funds must be reviewed at every reporting date and any shortfall must be remediated immediately. Persistent breach of own funds requirements is a serious supervisory issue and can lead to permission restriction, requirement notices or, in extreme cases, withdrawal of authorisation.

Safeguarding: PS25/12 and the new CASS 15 regime

Safeguarding is the single most important regulatory issue facing UK payment institutions in 2026. The FCA's Policy Statement PS25/12, published in August 2025, creates a new client funds regime under a dedicated CASS 15 sourcebook, in force from 7 May 2026. PS25/12 applies to all authorised payment institutions providing services that involve holding customer funds (effectively all APIs except AIS-only and PIS-only firms) and to all authorised electronic money institutions. SPIs are not in scope but many will adopt the framework voluntarily as a matter of governance and to support transition to API status.

The core elements of CASS 15 are as follows.

A statutory trust is created over client funds, modelled on the CASS 7 client money rules that have applied to investment firms for years. Funds held by an API for the execution of payment transactions are held on trust for the customer and are protected from the firm's general creditors in the event of insolvency. This is a significant strengthening of the previous safeguarding regime, which relied on a contractual segregation arrangement.

Daily reconciliation is mandatory. Firms must reconcile their internal records of customer funds against the safeguarding account balance at the safeguarding institution every business day, with documented evidence retained. Reconciliation breaks must be investigated and resolved within strict timelines and material breaches must be reported to the FCA.

A monthly safeguarding supervisory return must be submitted to the FCA. The return covers the volume and value of safeguarded funds, the safeguarding institutions used, reconciliation breaks, and any incidents during the month. The FCA uses these returns to identify outliers and to direct supervisory attention.

An annual safeguarding audit must be conducted by a qualified statutory auditor under the Financial Reporting Council's new CASS 15 auditing standard. The audit is a substantive examination of the firm's safeguarding controls, not a light-touch review, and audit findings must be remediated and reported to the FCA. The market for CASS 15 audits is concentrated and audit capacity is a real planning issue: firms that leave the appointment of an auditor late will struggle.

A CASS 10 Resolution Pack must be retrievable within 48 hours. The Resolution Pack is the package of records and information that an insolvency practitioner would need to identify, segregate and return client funds in the event of firm failure, and the 48-hour retrievability requirement means firms must invest in document management and process discipline rather than treating the Pack as a static binder.

In practical terms, PS25/12 has changed the operating cost base of every UK payment institution. Most firms have spent the past nine to twelve months building daily reconciliation tooling, hiring or upskilling finance and compliance staff, appointing or re-appointing safeguarding banks, drafting CASS 15 policies, contracting auditors and updating board reporting. Firms applying for authorisation now must demonstrate CASS 15 readiness in the application file: the days of "we will implement safeguarding when we go live" are over.

Governance and senior managers

Governance is one of the six core areas the FCA assesses at the gateway and a frequent reason for application challenge or refusal. The FCA expects an API's governance arrangements to be commensurate with the nature, scale and complexity of the business, and to be fully embedded before authorisation is granted, not assembled afterwards.

The minimum expectation is a board with a majority of non-executive directors, an independent chair, executive senior managers covering the CEO, CFO and money laundering reporting officer (MLRO) roles at minimum, and clearly defined first, second and third lines of defence. Larger or more complex firms are expected to add a chief operating officer, chief technology officer, head of risk and head of compliance. The FCA expects senior managers to have demonstrable, role-specific experience in payment services or a closely related regulated sector. Career generalists with no payments experience are routinely challenged at the fitness and propriety stage.

The Senior Managers and Certification Regime (SM&CR) applies to APIs in its full form. Senior managers performing designated senior management functions (SMFs) require individual approval from the FCA, which involves a detailed Form A, a statement of responsibilities, and increasingly a fitness and propriety interview with the FCA. The MLRO is approved separately. Certified persons performing material risk-taking or customer-facing roles must be assessed annually by the firm and given a fitness statement.

The board's role in safeguarding under PS25/12 is now explicit. The board is accountable for the firm's safeguarding arrangements, must receive monthly management information on safeguarding, and must approve the annual safeguarding policy and the appointment of the safeguarding auditor. This is a meaningful change from the pre-2026 regime, in which safeguarding was often delegated to operations or finance with limited board visibility.

AML and financial crime

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) apply to APIs in full. The FCA's gateway expectation is a fully written and operational financial crime framework at the point of authorisation, not a framework to be developed later.

The framework must include a documented business-wide risk assessment, customer risk assessment methodology, customer due diligence (CDD) and enhanced due diligence (EDD) procedures, ongoing monitoring arrangements, sanctions screening (against the UK consolidated list, OFAC and EU lists at minimum), suspicious activity reporting (SAR) procedures aligned with the National Crime Agency's expectations, transaction monitoring arrangements with documented thresholds and rules, record keeping policies, training, and clear ownership by the MLRO under SMF17. The MLRO must report to the board annually on financial crime risks and controls.

The FCA's March 2024 Dear CEO letter to payment firms identified financial crime controls as a recurring weakness and has fed directly into the more assertive gateway approach since then. Applications with thin or off-the-shelf AML policies are now routinely returned with major information requests.

Operational resilience and Consumer Duty

The FCA's operational resilience policy (PS21/3) has applied in full since 31 March 2025. APIs must identify their important business services, set impact tolerances, map the resources supporting each service, conduct severe-but-plausible scenario testing, and demonstrate that they can remain within tolerance during a disruption. New applicants are expected to have an operational resilience framework documented and ready for implementation in the application file.

The Consumer Duty has applied to all retail-facing financial services firms since 31 July 2023. APIs whose customers include consumers (rather than only corporates) must demonstrate the four outcomes: products and services that meet consumer needs, fair value, consumer understanding, and consumer support. The Duty also requires an annual board report and ongoing monitoring of consumer outcomes. Firms with a purely B2B model are out of scope but should expect to be asked to confirm that.

Mandatory APP fraud reimbursement has applied to UK payment service providers participating in the Faster Payments Service since 7 October 2024. APIs that send or receive Faster Payments to or from UK consumers must implement the scheme, including the 50/50 cost split between sending and receiving PSPs, the £85,000 maximum reimbursement per claim and the prescribed claim and decision timelines.

The application process step by step

The FCA application is made through the FCA Connect online portal. The application file consists of a series of forms, the Regulatory Business Plan (RBP), supporting policies and procedures, financial information and individual approval forms for senior managers. There is no shortcut: every component is examined.

The Regulatory Business Plan is the single most important document. It describes the business model, target customers, services, distribution channels, geographical scope, three-year financial projections, capital plan, governance structure, risk framework, AML framework, safeguarding arrangements, IT and information security, operational resilience, and consumer outcomes (where relevant). The RBP for a UK API typically runs to 80 to 150 pages plus annexes. A weak or generic RBP is the leading cause of FCA information requests.

Supporting policies typically include: AML and financial crime policy, sanctions policy, safeguarding policy (CASS 15-aligned from 2026), risk management framework, ICAAP-equivalent capital adequacy assessment, business continuity and disaster recovery plan, operational resilience framework, IT and information security policy, outsourcing policy, complaints handling policy, fraud policy, conflicts of interest policy, governance and committee terms of reference, fitness and propriety policy, training policy, record keeping policy, and (where relevant) Consumer Duty policy.

Financial information includes audited accounts (where the firm has trading history), three-year financial projections, evidence of paid-up initial capital held in a UK credit institution, and a capital adequacy calculation under the relevant own funds method.

Individual approval forms (Form A or Long Form A as applicable) are required for every proposed senior manager. Each form must be supported by a CV, a statement of responsibilities, evidence of fitness and propriety, and (increasingly) a personal interview with the FCA.

Once submitted, the FCA acknowledges the application, typically appoints a case officer within three weeks, and begins assessment. The first round of information requests usually arrives four to eight weeks after submission and is normally substantial. Applicants should expect three to five rounds of information requests during the assessment period. The FCA may also request management interviews, a site visit (rare for new firms but increasingly common for high-risk models) or a deep dive on specific areas (typically safeguarding, AML or governance).

The assessment concludes with a "minded to approve" letter setting out conditions precedent that must be satisfied before authorisation is granted: typically capital paid up in the safeguarding-ready operating account, key hires on board, safeguarding arrangements live, and any specific commitments confirmed. Once conditions are met, authorisation is granted and the firm appears on the FCA Register and the EBA Central Register (the latter informational only, post-Brexit).

Realistic timelines

The PSRs 2017 set a statutory three-month decision period for a complete application, with a maximum of 12 months for an incomplete application. The FCA's published 2026 service standard is more nuanced: four months for complete applications and ten months for incomplete applications, reduced from the prior six and twelve months. In practice, the gap between statutory and real-world is significant.

Realistic end-to-end timelines for a UK API in 2026 are: four to eight weeks of pre-application preparation (assuming a fully resourced project), six to ten months from submission to authorisation for a well-prepared application, and 12 to 18 months for an application that is incomplete or that attracts material FCA challenge. The most successful applications cluster towards the lower end of the range; the least successful applications either withdraw or are refused after extended assessment.

The single biggest controllable variable is the quality and completeness of the application at submission. A polished, complete file dramatically reduces the number of information request rounds, the complexity of those rounds and the time the FCA spends in deep-dive review. Investing in application quality is by some distance the highest-return spend in the entire process.

Why one in five applications is now refused

The FCA's approach to payment firm authorisations has tightened materially since 2023. Refusal rates rose from approximately 1 in 14 in 2021 to approximately 1 in 5 in 2023 and have remained at that level. The FCA's 2024/25 Business Plan listed "more assertive gateway standards" as a priority outcome and the March 2024 Dear CEO letter to payment firms set out specific concerns about firms' financial resilience, safeguarding arrangements and AML controls.

The most common reasons for refusal or forced withdrawal are: thin or generic Regulatory Business Plans that read as if drafted to a template rather than for the specific business; weak governance arrangements with insufficient experienced senior managers, particularly in compliance and risk; financial crime frameworks that are off-the-shelf and not calibrated to the business model; safeguarding arrangements that are not CASS 15-ready; capital plans that do not survive stress; senior managers who fail fitness and propriety because of past conduct, weak experience or unconvincing interview performance; and, increasingly, "shop-window" UK applications by groups whose real centre of operations is elsewhere and who cannot demonstrate genuine UK substance.

Where the FCA forms a view that the application is unlikely to succeed, it will generally suggest withdrawal rather than proceed to refusal. Withdrawal is preferable to a published refusal decision, but neither is desirable: rebuilding an application after a withdrawal typically takes six to twelve months and the firm's track record is now part of its file.

After authorisation

Authorisation is the start, not the end. From day one, an authorised API must maintain its capital and own funds at all times, perform daily safeguarding reconciliation under CASS 15 (from 7 May 2026), submit monthly safeguarding returns and quarterly REP-018 returns, conduct annual safeguarding audits, file annual REP-007 financial returns, comply with Consumer Duty (where applicable), participate in the APP fraud reimbursement scheme (where applicable), notify the FCA of material changes via Form A, Form D, Form E and the variation of permission process, and engage with the FCA on supervisory engagement.

Senior managers must continue to demonstrate fitness and propriety on an ongoing basis. The FCA may conduct supervisory visits, request thematic information, issue Section 165 information requirements, or use its Section 166 skilled person review power. Supervisory engagement is generally proportionate but firms with weak governance or repeated control failings will attract escalating attention.

The PSD3 horizon

The European PSD3 Directive and Payment Services Regulation (PSR) are progressing through the EU legislative process and are expected to become applicable in 2026 to 2027. The UK is not bound by PSD3 but has signalled that it will revise the PSRs 2017 in parallel, with HM Treasury consultation expected in 2026 and a revised UK regime likely from 2027 onwards. Key directional changes likely to be replicated in the UK include: a single licence regime merging payment institutions and electronic money institutions, mandatory IBAN-name verification, expanded liability for APP fraud, and stronger access rights for payment institutions to credit institution accounts (the current opacity of which is a real operating issue for many UK APIs).

Firms applying for an API licence now should plan for these changes rather than design only for the current regime. The transition costs are real, particularly for firms that build inflexible technology platforms.

How Buckingham Capital Consulting can help

Buckingham Capital Consulting has advised payment institutions and electronic money institutions on regulatory licensing since 2013, well before PSD2, the UK's PSRs 2017 and the new PS25/12 safeguarding regime came into force. Over the past 13 years we have authorised and registered hundreds of firms across the UK and Europe, spanning Authorised Payment Institutions, Small Payment Institutions, Registered Account Information Service Providers, Authorised and Small Electronic Money Institutions, merchant acquirers, money remitters, payment initiation service providers and open banking firms. Our team has direct experience with the FCA, the Bank of Lithuania, the Central Bank of Ireland, the Malta Financial Services Authority, the Dutch AFM, the Banque de France and other European competent authorities, giving us a practical understanding of how each regulator approaches API and EMI applications, what they challenge at the gateway, and what they expect post-authorisation.

We manage the full Authorised Payment Institution authorisation process as a single engagement. This includes business model and licence-scope assessment, jurisdiction selection where multiple are viable, UK or EU company incorporation and substance arrangements, preparation of the complete application file including the Regulatory Business Plan, governance and senior manager framework, AML and financial crime programme, safeguarding policy aligned to PS25/12 and CASS 15, operational resilience and Consumer Duty documentation, IT and information security policy, capital adequacy calculations, three-year financial projections, fitness and propriety assessments, appointment of the MLRO and other approved persons, management of all FCA Connect submissions and case officer correspondence, safeguarding bank introductions, and post-authorisation passporting notifications where relevant.

For firms transitioning from a Small Payment Institution to an Authorised Payment Institution, or from an Authorised Payment Institution to an Authorised Electronic Money Institution, we conduct a gap analysis against the higher regime and project-manage the variation of permission. After authorisation, we provide ongoing compliance support including PS25/12 safeguarding reconciliation oversight, monthly FCA safeguarding returns, annual safeguarding audits, REP-007 and REP-018 reporting, policy updates, governance reviews and preparation for FCA supervisory visits. Through our affiliated platform Safeheld we provide specialist safeguarding compliance technology to authorised firms.

If you are planning to apply for a UK Payment Institution licence, considering a variation of permission, or preparing for the 7 May 2026 PS25/12 deadline, contact our team for an initial assessment.

Email: info@buckinghamcapitalconsulting.co.uk Tel: 0207 866 2512

Frequently asked questions

How long does it take to obtain an Authorised Payment Institution licence in the UK in 2026? The FCA's published 2026 service standard is four months for a complete application and ten months for an incomplete application, reduced from the prior six and twelve months. The statutory maximum is twelve months. In practice, end-to-end timelines for a UK API are six to ten months from submission to authorisation for a well-prepared application, and twelve to eighteen months for an application that is incomplete or that attracts material FCA challenge. Add four to eight weeks for application preparation before submission. The single biggest controllable variable is application quality at submission.

What is the difference between an Authorised Payment Institution and a Small Payment Institution? An Authorised Payment Institution (API) can process unlimited payment volumes and provide every regulated payment service including payment initiation and account information services. A Small Payment Institution (SPI) is capped at €3 million average monthly payment transactions, has no initial capital requirement, no mandatory safeguarding obligation, and cannot provide payment initiation or account information services. APIs face a substantially more rigorous authorisation process and ongoing supervision. SPIs that grow above the €3 million threshold must transition to API status.

What is the initial capital requirement for an API licence? Initial capital depends on the services provided. A money remittance only API requires £20,000. A payment initiation service provider (PISP) requires £50,000. An API providing payment execution, the issuing of payment instruments or merchant acquiring requires £125,000. Where services span multiple tiers, the highest tier applies. Capital must be paid up in cash, fully unencumbered and held in a UK credit institution at the point of authorisation. Ongoing own funds must equal the higher of the initial capital figure and the amount calculated under FCA-assigned Method A, B, C or D.

What is the FCA application fee? The FCA's application fee structure for payment institutions is set out in the FEES Sourcebook of the FCA Handbook and confirmed on the FCA's published authorisation fees page (last updated 3 March 2026). For an Authorised Payment Institution, the fee depends on the services applied for: an API providing services (a) to (e) — execution of payment transactions, issuing of payment instruments, merchant acquiring — falls into Category 5 with a fee of £5,580. An API providing only services (f) to (h) — money remittance, payment initiation services, account information services — falls into Category 4 with a fee of £2,790. A Small Payment Institution registration is Category 3 at £1,120. A RAISP registration is also Category 3 at £1,120. Variation of permission within the same fee block is charged at 50% of the relevant category fee. The application fee is paid via the FCA's Connect portal at submission and is non-refundable. The fee itself is a small fraction of the broader cost of authorisation — the larger components are legal and consulting fees, technology investment, hiring and the capital contribution.

What is PS25/12 and CASS 15 and when does it take effect? PS25/12 is the FCA's policy statement, published in August 2025, that creates a new safeguarding regime under a dedicated CASS 15 sourcebook. It applies to all authorised payment institutions providing services involving customer funds and to all authorised electronic money institutions, in force from 7 May 2026. The regime introduces a statutory trust over client funds, mandatory daily reconciliation, monthly FCA safeguarding returns, an annual safeguarding audit under the Financial Reporting Council's new CASS 15 auditing standard, and a CASS 10-aligned Resolution Pack retrievable within 48 hours. Firms applying for authorisation in 2026 must demonstrate CASS 15 readiness in the application file.

How often does the FCA refuse payment institution applications? Approximately one in five payment firm applications was refused or forced to withdraw in 2023, up from approximately one in fourteen in 2021. The FCA's 2024/25 Business Plan formally adopted "more assertive gateway standards" and the March 2024 Dear CEO letter to payment firms identified financial resilience, safeguarding and AML controls as recurring weaknesses. The most common refusal reasons are thin Regulatory Business Plans, weak governance, off-the-shelf AML frameworks, capital plans that do not survive stress, and senior managers who fail fitness and propriety. Where the FCA forms a view that the application is unlikely to succeed, it will generally suggest withdrawal rather than proceed to refusal.

Can a payment institution issue electronic money or accept deposits? No. An Authorised Payment Institution cannot issue electronic money: stored value, prepaid card balances and digital wallet balances require an Electronic Money Institution (EMI) licence under the Electronic Money Regulations 2011. An API also cannot accept deposits or lend on its own account: those activities are reserved for credit institutions authorised under the Financial Services and Markets Act 2000. Many fintechs that initially apply for an API licence subsequently upgrade to an EMI licence as their business model evolves towards stored-value or wallet products.

Does the UK still passport into the EU after Brexit? No. The UK left the EU Single Market on 31 December 2020 and PSD2 passporting between the UK and EU ended on that date. UK APIs that wish to provide services into the EU must obtain a separate authorisation in an EU Member State (most commonly Lithuania, Ireland or the Netherlands for fintech models) and operate that EU authorisation in parallel with the UK API. Conversely, EU PIs that wish to serve UK customers must obtain UK authorisation. The EBA Central Register continues to list UK-authorised firms but the listing is informational only and confers no rights to operate in the EU.

What does the FCA assess in an Authorised Payment Institution application? The FCA assesses six core areas at the gateway: governance arrangements (including the experience and fitness of senior managers), capital and ongoing own funds, safeguarding arrangements (CASS 15-aligned from 7 May 2026), AML and financial crime controls, business model viability (including three-year financial projections), and systems and controls (including IT, information security, operational resilience and Consumer Duty where applicable). Each area is examined in detail in the Regulatory Business Plan and supporting policies, and weakness in any one area can drive multiple rounds of information requests or, in serious cases, refusal.

What happens after I submit my application — can I operate while it is being assessed? No. The PSRs 2017 prohibit the provision of regulated payment services without authorisation, and operating without authorisation is a criminal offence. Once an application is submitted, the firm may continue with build, hiring and other preparatory activity but may not provide regulated services to customers. The FCA acknowledges submission and typically appoints a case officer within three weeks. The case officer will issue rounds of information requests, may request management interviews and (occasionally) site visits, and will ultimately issue a "minded to approve" letter setting out conditions precedent. Authorisation is granted only when conditions are satisfied. Most applications go through three to five rounds of information requests before authorisation.