Coredo

MiCA: EMT or ART for stablecoins

MiCA divides stablecoins into two basic classes:

• e‑money tokens (EMT): essentially tokenized electronic money, 1:1 pegged to a single fiat currency, most often the euro.
• asset‑referenced tokens (ART) – tokens pegged to a basket of currencies and/or other assets (for example, a multi-currency stablecoin or a token backed by a mix of fiat+bonds+gold).

When it makes more sense to use EMT

For projects that target stablecoin use cases in payments, e‑commerce, B2B settlements and corporate treasuries, EMT most often becomes the default model.

When ART provides more flexibility

MiCA and algorithmic tokens: what’s prohibited

Stablecoin reserves under MiCA: architecture and audit

• obtain Licensing and regulatory supervision;
• withstand stress scenarios (withdrawal of 30–40% of assets over a short period);
• maintain acceptable project economics.

1. MiCA stablecoins with high-quality reserves will have a competitive advantage over ‘grey-zone’ tokens that European CASPs will sooner or later limit access to.
2. Large corporate users and financial institutions will look specifically at:

   • the reserve structure,
   • liquidity management procedures,
   • independent audit.

Redemption rights under MiCA: holder rights and issuer economics

MiCA enshrines a key principle: a stablecoin holder has the right to redeem the token for fiat (or the underlying asset) at par, within a reasonable time frame and on clear terms.

CASP, MiCA and passporting in the EU

Any issuer or platform working with stablecoins in Europe encounters the concept of crypto‑asset service providers (CASP).

Key idea: by obtaining a CASP license in one EU jurisdiction, you gain passporting for services across the Union. This significantly increases the value of choosing the right country for registration and licensing.

AML/KYC and the Travel Rule: practical compliance

DAC8 and reporting on stablecoins

MiCA and liquidity management

• whether MiCA-compliant regulated stablecoins can be used for daily settlements with counterparties in the EU;
• how stablecoins affect liquidity management and treasury strategies;
• what to choose for international settlements: CBDC, stablecoins, or traditional bank payments.

MiCA and regulation in Singapore, Hong Kong, the UK and the US

• stablecoin regulation in Singapore – a balanced regime with an emphasis on payments and enterprise solutions;
• stablecoin regulation in Hong Kong and the emerging Hong Kong stablecoin licensing regime;
• the UK’s approach, where stablecoins fall within the perimeter of financial regulation but with its own specifics;
• the debate in the US around GENIUS Act stablecoins and competing bills.

• reserves and transparency;
• consumer protection;
• systemic stablecoins and oversight by central authorities.

How we structure stablecoin projects at COREDO

What an entrepreneur and a CFO should take into account

• Design the stablecoin from the start for MiCA, even if the initial launch focuses on another region. Reworking the architecture afterwards in Europe is costly.
• Treat reserves and MiCA compliance as part of the unit economics, not just a regulatory burden: access to European platforms and large corporate clients depends on it.
• Embed AML and DAC8 readiness from the outset: many business models collapse not because of the token idea, but because of inadequate compliance and reporting.
• See MiCA as an opportunity for differentiation: regulated stablecoins with transparent reserves and a clear legal framework will outperform “grey” alternatives, especially in the B2B and enterprise segments.

In international groups the question of a KYC policy today sounds very direct: a single standard or local adaptation? As someone who has been developing COREDO since 2016 and sees live cases from the EU, Asia and the CIS every day, I will confidently answer: formally, a single framework is needed; practically — without thoughtful local adaptation the business simply will not survive.

Why the old KYC approach does not work

• payment systems,
• correspondent accounts,
• licenses (crypto, EMI, PI, forex, investment),
• marketplace ecosystems and fintech partners.

• Each jurisdiction requires it “a little differently”: forms, timeframes, documents, EDD levels.
• Payment partners and banks practice over-compliance: they check every client and every transaction, block accounts, and require KYC updates “more often than is written in the law.”
• Scaling into 5–10+ countries turns into chaos: different procedures, different IT systems, different interpretations of AML risks in subsidiaries.

Group-wide KYC standard: components and requirements

• Risk appetite and client typologies
  • retail, SME, corporate, financial institutions;
  • high-risk segments: CBI clients (investment migration), crypto brokers, PSPs, P2P platforms.
  • logic: whom you are willing to serve at all, and whom: not in any country.
• KYC classification and verification levels
  • standard verification,
  • enhanced due diligence (EDD),
  • enhanced checks for PEPs, sanctioned and CBI clients.
  Uniformity is important here: if EDD for a corporate client in one subsidiary includes an analysis of the origin of capital over 3 years, and in another: only a declaration, the global risk profile is distorted.
• Basic 15-step KYC process for legal entities
  At COREDO we often build a multistep process where, regardless of the country, the following mandatory steps are present:
  • company identification (registration documents, articles of association);
  • identification of beneficial owners and the control structure;
  • verification of directors and key controlling persons;
  • analysis of discrepancies between passports and tax residency;
  • proof of address;
  • checks against sanctions, PEPs, negative media;
  • verification of source of funds and sources of income;
  • assessment of the business model and transaction geography;
  • assigning a risk rating;
  • decision: onboard / reject / EDD / additional requests.
• KYT policy and transaction monitoring
  • rules for real-time monitoring of suspicious transactions;
  • trigger logic by countries and counterparties;
  • approach to blocking/holding transactions and requesting documents.
• Requirements for digital compliance and cybersecurity
  • use of digital identification systems and eIDAS (for the EU);
  • requirements for storing KYC files and activity logs;
  • basic cybersecurity standards: client data protection, access control, logging of verifications.
• Role of an independent compliance officer
  • uniform qualification requirements;
  • independent reporting to the Board of Directors;
  • veto power over risky onboardings.

Where local adaptation of KYC is mandatory
Even a perfectly built global standard does not negate the fact that EU KYC requirements, fintech regulation in Asia and the practices of CIS regulators differ.

I see three levels where local adaptation is not just desirable, but critical.

Requirements and timelines

• In a number of EU countries regulators are moving from “simplified verification” to a strict model of full KYC checks for almost all categories of clients.
• Verification timeframes are shortening: what used to take up to 10 days is now expected to be completed within 2–5 days: especially in fintech, so the client does not go to a competitor.
• For payment companies and crypto licenses, local regulators (for example, in Lithuania, Estonia, Cyprus) set separate requirements for the structure of AML/KYC policies, the content of reporting and data formats.

• EU directives, PSD2, eIDAS for payment and fintech companies;
• requirements of local Asian supervisory authorities, aligned with FATF Guidance;
• requirements for machine-readable AML reporting and online monitoring by regulators.

Substance and real presence requirements

• a real office and staff,
• local directors,
• risk management and on-site compliance,
• the volume of operations in the jurisdiction.

• reallocation of functions (risk, AML, IT) between countries;
• justification of why KYC functions are centralized or, conversely, localized;
• the argument for substance in the exact country where you want to obtain a license or a bank account.

Practice of banks and payment partners

• unclear beneficiary structure;
• mismatch between passports and tax residency;
• lack of transparent evidence of source of funds;
• weak group-level KYC policy and absence of local procedures.

KYC vs KYT and the Travel Rule: what’s changed

• implementation of the FATF Travel Rule: transmission of sender and recipient data between VASPs (Virtual Asset Service Providers) and payment institutions;
• real-time monitoring of sender and recipient against sanctions and risk lists;
• use of blockchain analyzers to assess the risk of addresses and transactions.

• restructure internal policy from “one-time KYC at onboarding” to continuous KYT monitoring;
• implement regulatory synchronization between countries: so that transactions passing through the EU and Asia comply with unified rules on data and reporting;
• prepare for online transaction monitoring by regulators and mandatory data exchange between countries.

KYC for corporate clients: structure

• Basic KYC (all jurisdictions)
  • standard set of company and beneficiary documents;
  • minimal screening for adverse factors;
  • initial risk scoring.
• Enhanced KYC / EDD
  • detailed analysis of structure and ultimate control;
  • in-depth verification of source of funds (bank statements, contracts, financial statements);
  • check of corporate history, M&A deals, changes of beneficiaries;
  • monitoring of PEP status and political risks.
• Special scenarios (CBI, high-risk clients)
  For CBI clients and investment migration, international banks and regulators treat them as high risk.
  • prepare a rationale for the client’s economic substance;
  • demonstrate the consistency of passport, residency, and actual center of interests;
  • document the veracity of the source of funds and the reasons for structuring assets through a particular jurisdiction.

Do KYC automation and digital compliance pay off?

• Reduction of onboarding times from 10 to 2–5 days for corporate clients thanks to digital identification systems and automated checklists.
• Reduced burden on compliance departments: some procedures move to automatic screening and machine-readable reporting for regulators.
• Increased trust from banks and partners: mature digital compliance and cybersecurity are already mandatory criteria when selecting partners.

• implementation of digital identification systems and integration with eIDAS for the EU;
• use of solutions for machine-readable AML reporting and automatic report generation;
• implementation of modules for real-time transaction monitoring and sanctions screening;
• building the internal architecture of embedded AML/KYC procedures into an IT or fintech company’s product.

How to avoid bank account freezes

• there is a single group KYC/AML standard, understandable to banks and PSPs;
• local procedures meet the expectations of the regulators of the specific countries;
• the company establishes KYT and Travel Rule processes in advance according to international requirements;
• a set of evidence of source of funds and justification of the group structure is prepared.

• analyzes exactly where the KYC processes did not satisfy the partner;
• refines the KYC policy and client dossiers;
• builds communication with the bank or payment institution, explaining the business model and compliance framework.

Single standard and local adaptation

For an international group it is not enough to “just adapt to the law”. A strategic KYC framework is needed that withstands scrutiny from regulators, banks and partners simultaneously in the EU, Asia and the CIS.

• Define global risk appetite and target markets
  Answer honestly: which clients you are willing to serve and in which jurisdictions this is permissible.
• Build a single group KYC/AML standard
  • policy structure,
  • KYC/KYT processes,
  • requirements for EDD and CBI,
  • digital perimeter and cybersecurity.
• Make local adaptation by country
  • take into account EU requirements, national laws, PSD2, eIDAS, FATF guidance;
  • embed substance and local regulatory expectations;
  • synchronize reporting and data formats.
• Integrate KYC/AML into the product and operations
  especially for fintech, payment companies, crypto services; ensure real-time monitoring and automation of key procedures.
• Regularly review the policy to meet new requirements
  • FATF and the EU update standards,
  • Asian regulators are increasingly aligning with them,
  • by 2026 the list of mandatory KYC and KYT elements will only growwiden.

When the founder of a fintech project comes to me with the question: “In which country is it best to obtain an EMI license and how can this be done without fatal mistakes?”, I always start not with the country, but with the business model. It is the business model that determines where you can operate sustainably, with understandable regulatory risks and a predictable ROI.

Over years of COREDO‘s work in Europe, Asia and the CIS, the team has taken clients through the entire journey: from the first idea “I want my own EMI license in the EU” to functioning payment institutions with passporting across the EEA, audits to international standards and a well-thought-out AML function. In this article I will distill that experience into a practical guide: how to choose a jurisdiction, which requirements are actually painful in practice, where the boundaries of regulatory risk appetite lie and how to reduce the likelihood of rejection at launch.

EMI license in the EU: what you need to know

EMI license in Europe: this is permission to operate as an issuer of electronic money and to provide payment services based on the PSD2 and EMD2 directives. Essentially, an EMI license in the EU allows you to:

• issue electronic money (wallet balances, prepaid solutions, stored value);
• open and maintain payment accounts for clients;
• provide payment and electronic money services for B2B and B2C models;
• build white‑label solutions for partners and scale a fintech platform across the EEA via passporting of the EMI license.

In any European country, the regulator looks at an EMI provider through three key areas:

• business model and resilience (business plan, profitability, risk management);
• compliance for the EMI provider (AML/KYC, governance, fit & proper management);
• IT and operational infrastructure (security, incident management, safeguarding of funds).

My practical advice: don’t treat an EMI as a ‘checkbox’ or a shiny status. It’s an infrastructure solution for business for the next 5–10 years. If you don’t expect to operate at least on that horizon, the partner-provider model might be more appropriate for now.

Full EMI license or small EMI/PI: where to start?

Many projects come with a strict request: “we need only a full EMI license.” In practice, it makes sense to consider three options:

• full EMI license
  Suitable if you plan to scale across the entire EEA, process significant volumes and work with different segments (B2B/B2C, cross‑border payments, wallets, cards, API integrations for open banking).
• small EMI license (restricted Electronic Money Issuer License)
  This is a compromise: local or volume‑limited operations, simplified requirements, but without passporting across the EEA. In some countries it is used as a “training ground”: to prove to the regulator, investors and yourself that the model works.
• PI (payment institution)
  PI license in the EU allows providing payment services without the status of an electronic money issuer. For some models — money remittance, acquiring or certain B2B solutions — a PI can be sufficient.

I strongly do not recommend choosing between EMI and PI “based on a feeling.” At COREDO we always start by analysing use cases: which products you offer, to whom, in which countries, what limits, where the client balance arises, how you earn money, and what the structure of fees and float is.

How to choose a country for an EMI license

The phrase “which country is best to obtain an EMI license” is incorrect by itself. More accurate is “which jurisdiction is optimal for my business model, risk profile and scaling strategy.”

I always recommend entrepreneurs look at a country through five areas:

1. regulatory risks of an EMI and the regulator’s risk appetite
   • How does the regulator respond to new business models?
   • How often do the rules change?
   • What is the supervisory practice (frequency of inspections, tone of communication, predictability of decisions)?
2. Minimum capital for an EMI and capitalization requirements
   • Initial capital: typically €350,000 for a classic EMI model in the EU.
   • Ongoing capital adequacy: methodology for calculating capital against transaction volumes and risks.
   • You need not only a formal amount but a deliberate model: where you will hold the capital, how to present it under IFRS, how the capital structure will change as you grow.
3. Substance requirements for an EMI (office, staff)
   • Real business presence: local office, employees, resident directors.
   • Role of the local team: who actually makes decisions, who is responsible for compliance, risk management, IT.
4. IT requirements for an EMI license
   • compliance with requirements for ICT and security risk management;
   • architecture, redundancy, disaster recovery plan;
   • management of cyber and operational risks of an EMI, working with outsourcing and cloud providers.
5. Tax aspects and the group’s overall structure
   • compatibility of the country with your flows (B2B, B2C, cross‑border payments);
   • double taxation treaties;
   • the jurisdiction’s impact on investors’ valuation of the project and future funding rounds.

COREDO’s task in such projects is not simply to “register” but to help build a structure that will withstand scrutiny from the regulator, the auditor and investors simultaneously.

Jurisdictions for an EMI license: where and for whom

Below: not a “country ranking”, but typical scenarios that I see in projects coming to COREDO.

EMI license in Lithuania

Lithuania has long become a magnet for fintech projects oriented to the EEA. For many international players, an EMI license in Lithuania is a practical way to enter the European market with predictable timelines and transparent requirements.

When this country makes sense:

• EMI license passporting across the EEA is critical for you;
• you are building a product focused on the EU, but the team is distributed across different countries;
• you are ready for serious work on IT and risk management: the regulator pays close attention to ICT, operational risks and safeguarding.

In practice, the COREDO team pays especially close attention to Lithuanian projects regarding:

• the three‑year business plan and stress‑testing of the model;
• IT architecture: redundancy, incident monitoring, logging, change management;
• AML/KYC model: how the risk‑based approach is reflected in procedures and IT systems.

EMI licence in Ireland

An EMI license in Ireland is most often considered by more mature projects and groups that are building a European hub.

Key features:

• high requirements from the Central Bank of Ireland for the governance structure, fit & proper management, and independent control functions;
• a strong focus on compliance for the EMI provider: AML, risk management, internal audit;
• increased attention to business model sustainability and long‑term viability.

I often see teams underestimating the cost of compliance in Ireland: this includes not only in‑house specialists, but also external consultants, auditors, and the schedule of regular checks. The reward for this is a high level of market and investor trust.

EMI license in the Czech Republic

Czechia appeals to those looking for a balance between operating costs, the level of regulatory oversight, and the ability to work with clients from different European countries.

Features:

• a straightforward infrastructure for company registration and establishing substance;
• reasonable requirements for local presence and governance;
• the possibility to combine an EMI license with operational activity in Central Europe.

Client case: the COREDO team supported a project that considered EMI in Lithuania versus EMI in Czechia. In the end the strategy split: Lithuania — for scaling a B2C product across the EEA; Czechia — for the operational back‑office, development and part of the B2B direction. This is a scenario when one country for an EMI license is not the only answer.

EMI license in the UK: FCA requirements

An EMI license in the UK is the choice of those who consciously accept a high level of regulatory supervision by the FCA, expecting in return a strong brand and access to the British ecosystem.

What is important to consider:

• the FCA’s requirements for governance, risk management, and transparency of the beneficiary structure are especially detailed;
• a lot of attention is paid to outsourcing and service providers for EMIs, including cloud solutions;
• requirements for cybersecurity, incident reporting and IT resilience are being strengthened.

For an international project focused on Europe and Asia, it makes sense to consider the UK as part of a broader structure rather than the sole entry point.

Mauritius: EMI license for an offshore setup

An EMI license in Mauritius raises many questions among entrepreneurs: «how reliable is it to build an international fintech business based on such a license?»

I’ve seen successful cases where Mauritius:

• was used as a hub for international settlements outside the EEA;
• was combined with a European structure (for example, Lithuania / Ireland) to serve clients in the EU;
• allowed optimizing tax burden and group structure while meeting substance requirements.

Problems of the original headline:

• Unnecessary jargon (‘Typical’, ‘bottlenecks’)
• Sounds like an academic paper, not a search query
• Contains 9 words, which exceeds the recommendation

Bottlenecks in EMI licensing

To reduce the risk of refusal to grant an EMI license, I always ask clients to honestly assess three areas before approaching the regulator.

Ownership structure and beneficiaries

The regulator pays close attention to:

• transparency of beneficial ownership;
• sources of funds (source of funds / source of wealth);
• the history and reputation of shareholders and directors (fit and proper test).

Complex multi-level structures without a clear economic rationale increase EMI regulatory risks in any country. At COREDO we often start with “clean-up” of the structure: removing unnecessary layers, putting corporate documents in order, and preparing justification for the ownership chain.

Business plan and revenue model

For the regulator it’s important not only to see a three-year financial plan, but also to understand:

• how you earn (subscription, commission, interchange income, FX margin, B2B fee);
• how you manage regulatory risk (for example, high-risk segments, cross-border payments);
• what will happen to the company under stress scenarios: loss of a key partner, an increase in chargebacks, regulatory changes.

The COREDO team practices stress-testing business models for an EMI license: we model several scenarios and see how capital, liquidity and compliance costs change.

AML/KYC and a risk-based approach

AML/KYC procedures for an EMI provider are where regulators most often raise additional questions. Typical issues:

• declarative policies without a description of the real process;
• lack of linkage between the client risk map and triggers in the IT system;
• an unreasonably lenient or, conversely, excessively strict approach to high-risk segments.

I see entrepreneurs worry that strong risk-based AML will “kill conversion”. In practice, a well-designed approach allows:

• to segment customers by risk and build different KYC pathways;
• to use data providers and automation to speed up the low-risk flow;
• to keep a “manual mode” and enhanced Due Diligence for high-risk.

IT architecture, cybersecurity and outsourcing from the regulator’s perspective

In European projects I increasingly see that the outcome of an EMI license application is decided at the level of IT and security architecture.

Key areas of regulatory focus:

• IT and security risk management for EMI: incident response policy, disaster recovery, business continuity;
• API architecture and operation logging;
• segregated environments (development / testing / production) and change management;
• use of cloud services and critical outsourcing.

When preparing for licensing the COREDO team goes through with the client in detail:

• the infrastructure diagram (servers, data centers, cloud providers, VPN, key services);
• data flows (including customer data, payment data, logs);
• backup model and RTO/RPO metrics.

Timeline and cost of an EMI license

To the question “how long does obtaining an EMI license in the EU take” I always answer with one word: it depends. But there is a realistic range.

With preparation taken into account:

• analysis of the business model and choice of jurisdiction;
• company structuring, substance, appointment of directors and key functions;
• preparation of the business plan, policies, procedures, IT descriptions;
• preliminary consultations with the regulator (where appropriate);

A full turnkey project in Europe typically takes 9–18 months, sometimes longer: if the model is complex or the group structure is non-trivial.

The cost of obtaining an EMI license consists of:

• minimum share capital (for example, the EMI minimum share capital of 350,000 euros for some EU countries);
• professional services (legal support for an EMI license, financial modeling, IT and AML design);
• expenses for substance: office, local team, directors, control functions;
• subsequent audit and an ongoing compliance function.

How to reduce the risk of refusal by the regulator

The regulator doesn’t want to stop you from operating. Its job is to ensure you operate safely. It’s important to remember that.

1. Early dialogue and transparency
   • It’s easier to explain a complex element of the model at an early stage than to defend it after the official submission.
2. Consistency of documents
   • The business plan, policies, IT descriptions, governance structure, and partner agreements should be logically consistent. The regulator quickly spots inconsistencies.
3. Realism
   • Overly aggressive growth plans that are not backed by capital, team, and technology raise doubts. At COREDO we often temper expectations and rebuild the financial model.
4. Readiness for oversight
   • Regulatory oversight (on-site and off-site inspections, regular reports, audits) is not a “punishment”, but a normal part of life for a licensed company. It’s important to set up processes in advance, rather than reacting after the fact.

When it’s better to work with a partner instead of obtaining an EMI license

There are scenarios in which I honestly recommend not rushing to obtain a license:

• the product hasn’t yet achieved market fit;
• unit economics are unstable;
• the team is not ready to support full compliance, risk, and IT operations at the level expected of a licensee.

COREDO’s role here is not to sell a licensing service, but to help see the entire path: from an MVP to a fully licensed institution, with minimal regulatory and operational risks.

How to open an EMI structure with COREDO

In practice, the COREDO team:

• analyzes the business model and helps choose a country where EMI regulatory risks in different jurisdictions align with your risk appetite;
• structures the legal entity (or group), builds a clear ownership structure and substance;
• prepares the complete documentation package for licensing: from the business plan and risk policy to AML/KYC procedures and IT descriptions;
• supports dialogue with the regulator, helps respond promptly to requests and adjust the model;
• sets up ongoing support: AML consulting, legal support, interaction with auditors, updating policies for regulatory changes.

My personal view is simple: having your own EMI license for an international fintech project is an investment in control over the product, margins and the pace of development. But only if you are prepared for serious, systematic work on regulatory, IT and operational risks.