Leave an application
COREDO > Blog > Regulation of payment institutions in the EU country by country differences

Regulation of payment institutions in the EU country by country differences

Avatar photo
Updated: 16.01.2026
Content

When an entrepreneur first comes to me with the idea of entering the payments services market in Europe, the same question usually reads in their eyes: “Where do you even start?” Regulation of payment institutions in the EU is not a single law or a single regulator, but a whole architecture of directives, national acts, supervisory practices and technical standards. And it is precisely how competent the first step is that determines whether a payment institution license will be your asset or a constant source of stress and constraints.

I have been developing COREDO since 2016 as a company that combines legal, regulatory and business vision in a single project. During this time the COREDO team has participated in the launch and scaling of dozens of fintech projects in the EU, the UK and Asia — from small payment institutions with a niche product to holdings combining the status of a payment institution and an e‑money institution in multiple jurisdictions.

In this article I will explain how regulation of payment institutions works in practice in the EU, what to look for when choosing a country, what the differences are between a payment institution license and an e‑money license, and what requirements for AML, governance and IT infrastructure need to be built into the model from day one. I will speak as a practitioner who is responsible not only for legal compliance but also for the profitability of such projects.

Regulation of payments: PSD2 and e‑money

Illustration for the section “Regulation of payments: PSD2 and e‑money” in the article “Regulation of payment institutions in the EU – differences by country”

Any project in the field of payment services in Europe begins with three key regulatory “layers”:
  1. EU Directive 2015/2366 (PSD2) – a framework document that sets out the general requirements for payment services in the EU: list of services, Licensing of payment institutions, third‑party access to accounts (open banking, XS2A), strong customer authentication and basic consumer protection requirements.
  2. Directive 2009/110/EC (electronic money): defines the status of an electronic money institution (EMI), requirements for the issuance and circulation of electronic money, safeguarding of client funds and the minimum share capital for e‑money institutions.
  3. National legislation of EU countries: each country implements PSD2 and Directive 2009/110/EC into its own laws, adding national specifics: requirements for substance, for the office, for top management, the level of IT security, reporting, etc.

The COREDO team constantly works at the intersection of these levels: we start with an analysis of the client’s business model under PSD2 and Directive 2009/110/EC, and then adapt it to a specific jurisdiction: Lithuania, Estonia, Ireland, Cyprus, Luxembourg or other EU countries.

Payment institution and e-money institution: difference

Illustration for the section «Payment institution and e‑money institution: difference» in the article «Regulation of payment institutions in the EU – differences by country»
One of the first questions clients ask me is: “Do we need a payment institution license in Europe or immediately an electronic money license?”
Main difference

  • Payment institution (PI) – grants the right to provide payment services listed in PSD2: acquiring, money remittance, execution of payment transactions, issuing of payment instruments, PISP/AISP, etc.
  • Electronic money institution (EMI): additionally grants the right to issue electronic money and to hold clients’ funds in the form of an electronic balance (wallets, prepaid cards, stored-value services).
From the regulator’s point of view these are different levels of risk and, accordingly, different requirements:
  • the minimum share capital for a payment institution is lower than for an e‑money institution, especially if we are talking about a “small payment institution” or a limited license;
  • EMIs have stricter requirements for safeguarding, prudential supervision, reporting and risk management.
In COREDO’s practice it often happens that a client comes with the idea of issuing a “wallet”, and after legal analysis we show that at the start it is more advantageous to obtain payment institution status with a specific set of services and not enter the electronic money regulatory regime. This saves capital, licensing timelines, and supervisory complexity.

Which PSD2 services require a license?

Illustration for the section 'Which PSD2 services require a license?' in the article 'Regulation of payment institutions in the EU – differences by country'
To avoid mistakes with the license, it’s important to honestly ask yourself: which specific operations do you want to perform?

The EU directive on payment services (PSD2) covers, in particular:
  • execution of payment transactions (including SEPA payments and cross-border payment services in the EU);
  • issuing of payment instruments (cards, virtual cards, other instruments);
  • acquiring of payment transactions (merchant acquiring, including online acquiring and payment gateways);
  • money remittance (classic transfers without an account);
  • services enabling cash to be placed on or withdrawn from a payment account;
  • PISP and AISP (open banking).
At early stages the COREDO team usually creates a functional map of services: we break the product down into specific operations and match them against the list of PSD2 services. Such an analysis immediately shows whether a payment institution license, an e‑money institution license is required, or whether you can build a model through partners (for example, white‑label solutions, agency schemes, etc.).

Minimum statutory capital and supervision

Illustration for the section «Minimum statutory capital and supervision» in the article «Regulation of payment institutions in the EU – differences by country»
For any payment institution and e‑money institution in the EU, it is critical to correctly assess capital requirements and the potential increase in supervisory burden as the business scales.
Capital: what is it?

The amount of minimum statutory capital for a payment institution depends on the types of services and may vary across EU countries due to differences in the implementation of the Directive. For e‑money institutions, capital is generally higher. In addition, the regulator calculates own funds using one of the methodologies (fixed overheads, volume‑based, etc.), which is directly linked to turnover.

In COREDO projects we always model a 3–5 year scenario: how growth in transaction volume will affect own funds requirements and, accordingly, the financial model. This helps avoid a situation where the business scales faster than the shareholders are willing to recapitalize the company.

Prudential supervision in the banking sector

Prudential supervision of payment institutions in the EU is built on a risk‑oriented approach. Regulators look not only at capital adequacy, but also at:

  • risk management (operational, liquidity, compliance risk);
  • internal control system;
  • procedures for safeguarding client funds;
  • IT and cyber risks.
A solution developed by COREDO almost always includes a roadmap for interaction with the regulator: which reports, within which timeframes, and in what format you will submit in a given country, and how to plan resources for compliance and finance functions.

Choosing an EU jurisdiction: strategy, not price

Illustration for the section «Choosing an EU jurisdiction: strategy, not price» in the article «Regulation of payment institutions in the EU – differences by country»

A mistaken simplification I regularly hear: “The EU is a single space, so in any country the regulation of payment services will be roughly the same.” In practice, differences in national regulation of payment institutions within the EU are very significant: in requirements for substance, for an office, for a resident director, for IT infrastructure, for safeguarding accounts and even in the approach to clients from the CIS.

The COREDO team usually advises entrepreneurs to look at country choice from several angles:

  1. Regulator: speed of communication, transparency of processes, willingness to innovate (regulatory sandboxes for fintech, attitude to new models, including paytech and embedded finance).
  2. Requirements for substance:
    • requirement for a physical office;
    • local staff (board, MLRO, risk, compliance);
    • the depth of presence the regulator requires to recognize the company as genuinely managed from that country.
  3. Requirements for safeguarding clients’ funds:
    • which banks/institutions accept funds;
    • whether insurance can be used;
    • specifics of account segregation and their oversight.
  4. Reporting and supervisory burden: report frequency, complexity of forms, intensity of inspections.
  5. Tolerance toward non-residents and cross-border models: an important factor for projects targeting clients from the CIS, Asia, Africa.
In COREDO’s practice we often receive requests to compare, for example, Lithuania, Estonia, Ireland, Malta, Cyprus and Luxembourg for obtaining a payment institution license. In such cases we prepare a comparative analysis of capital requirements for payment institutions by country, substance, licensing timelines and national specifics of AML supervision. This is a document that helps make a strategic decision not “by hearsay”, but on the basis of facts.

Single European passport for licensing

One of the EU’s key advantages: a single European passport for payment institutions and e‑money institutions.

Once you obtain a license in one country, you can:
  • provide cross-border payment services in the EU without a separate license in each country;
  • open a branch in other EU countries;
  • build a network of agents and distribution across the territory.
However, in practice not all entrepreneurs use this tool correctly. At COREDO we always explain that passporting is not only notifying regulators, but also:
  • local consumer legislation;
  • KYC/AML specifics for residents of different countries;
  • local rules for marketing financial services;
  • requirements for the language of documentation and customer support.
Practical example: one of COREDO’s clients obtained an e‑money institution license in one of the EU countries with a focus on B2B wallets. At the next stage we built an expansion plan into 6 countries by passport – taking into account the specifics of local AML expectations, language requirements and taxation. Such a plan allowed launching countries in stages, without placing unnecessary burden on compliance and IT.

AML requirements for EU payment institutions

Any regulator in Europe today views AML/CFT as a key criterion for payment institutions and electronic money. If your anti‑money‑laundering procedures look formal, your chances of licensing success approach zero.

COREDO was originally formed as a team where AML‑consulting and Legal expertise in financial law work together. This has allowed us to build a practice in which we design the client’s AML model in parallel with the choice of jurisdiction and license, rather than after the fact.

Typical regulator expectations include:
  • ownership structure and beneficiary requirements: transparency, no sanctions‑related risks, verification of source of funds;
  • the appointment and actual status of the AML officer (MLRO): experience, independence, engagement;
  • risk‑based approach: segmentation of clients by risk, enhanced Due Diligence where necessary;
  • policies and procedures: customer due diligence, ongoing monitoring, transaction monitoring, sanctions screening, PEP policies;
  • use of regtech solutions, but with the understanding that automation does not replace the responsibility of management bodies.
COREDO’s experience confirms: projects that embed a strong AML function from the outset (a capable MLRO, realistic monitoring scenarios, a well‑designed KYC model) obtain licensing more reliably and more easily secure approval for service and geographic expansion.

Governance: three lines of defence

The regulator in the EU has long viewed payment institutions and e‑money institutions through the lens of corporate governance. A simple structure “director and accountant” is no longer seen as sufficient.

In the work of the COREDO team we adhere to the concept of three lines of defence:

  1. First line: the business units that create the product and interact with customers. They are responsible for compliance with procedures at the operational level.
  2. Second line: the compliance and risk management functions that develop policies, monitor compliance, and analyse new risks (for example, when launching a new product or entering a new country).
  3. Third line – internal audit, an independent assessment of the effectiveness of the entire system.

Regulators in many EU countries explicitly expect that, within the structure of a payment institution, the following will be visible:

  • an independent compliance officer;
  • a risk manager with an understanding of financial and operational risks;
  • a plan and scope of internal audit (even if some functions are outsourced).
In several projects the solution developed by COREDO included a hybrid model: some functions were outsourced (especially at the start), while governance and transparent reporting to the regulator were preserved.

IT infrastructure and cybersecurity: PSD2 and SCA

For a fintech company, the IT platform is not only a product but also a regulated entity. Requirements for the IT infrastructure and cybersecurity of payment institutions in the EU include:

  • compliance with PSD2 requirements for strong customer authentication (SCA);
  • data protection in accordance with GDPR;
  • resilience, redundancy, incident recovery plans;
  • access control, operations logging, vulnerability management.
In some jurisdictions, regulators closely scrutinize:
  • API architecture (especially in the context of open banking);
  • change management processes;
  • outsourcing of critical IT functions and relationships with external providers.

The COREDO team is accustomed to involving IT architects and cybersecurity specialists already at the licensing preparation stage. This allows responding to regulator questions in advance, rather than reworking the platform at the last minute.

Outsourcing and agents: where is the line of what’s allowed

Modern payment institutions rarely do everything in-house. Outsourcing KYC, IT infrastructure, parts of the operational process is common practice. At the same time, requirements for outsourcing functions of a payment institution in the EU are becoming increasingly strict:
  • critical functions (risk management, AML, key IT systems) cannot be completely ‘outsourced’ without losing control;
  • necessary agreements, SLAs, monitoring mechanisms, and the regulator’s rights of access to information;
  • the regulator assesses the payment institution’s ability to manage a network of agents and partners.
In COREDO projects we help clients find the right balance: leverage strong external solutions (for example, for KYC or transaction monitoring), while keeping the core competencies in-house and demonstrating to the regulator real control over the business.

Common mistakes applicants make and how to avoid them

Over the years I have seen several recurring mistakes that significantly prolong or even block obtaining a payment license in the European Union:

  1. Unclear business model: vague descriptions of services, inconsistencies between the product side and the legal part.
    • How we solve it at COREDO: we start with a product workshop, form a clear model, and then write the application pack to fit it.
  2. Underestimating substance requirements: attempting to build a “virtual office” where the regulator expects a real presence.
    • We immediately explain what minimum office and key functions will be required in that specific country.
  3. A formal approach to AML: copying template policies without taking into account the geography of clients and real risks.
    • The COREDO team adapts the AML model to the specific client base (including clients from the CIS and Asia, where risks are higher).
  4. Weak management team: nominal directors without real experience in payments, risk, and finance.
    • In a number of cases we helped clients build a governance structure and select strong managers who satisfy the regulator.
  5. Lack of a scaling model: the applicant does not show how they will manage risks as transactions grow, enter new countries, or launch new products.
    • COREDO’s practice confirms that having a scaling roadmap significantly increases the regulator’s confidence.

Strategic approach to a project: practical recommendations

If you are: a founder, chief financial officer, or head of a fintech division and are considering registering a fintech company in Europe under a payment license, I would recommend structuring the work in stages.

  1. First: business model, then: jurisdiction.
    • Do not choose a country based on “where it’s easiest” or “where acquaintances have already obtained a license”. First describe the product: what payment services, which markets, which customers, how you monetize. The COREDO team often begins cooperation precisely with a product-/business-workshop.
  2. Do an honest AML and risk self-assessment.
    • If you see clients from high-risk regions in your model, complex cross-border chains, work with crypto-assets or embedded finance, do not try to “hide” this from the regulator. Together with COREDO’s clients we develop realistic control measures that can be defended before the supervisory authority.
  3. Model the ROI of your own license vs operating through a partner.
    • Having your own license: it’s not just freedom and margin, but also ongoing expenses for compliance, risk, reporting, IT security, and audit. Sometimes at the start it’s more sensible to build a hybrid model: operate through a partner while simultaneously preparing for licensing. Our experience at COREDO has shown that such strategic flexibility often yields a better result.
  4. Plan passporting from day one.
    • If you target clients across the EU, it’s logical to think in advance about which countries will be key, which specifics need to be considered (language, local consumer law, taxes), and to embed this into the contract architecture, IT systems and compliance processes.
  5. Don’t postpone organizational design.
    • The governance structure, allocation of compliance, risk management and internal audit functions are not a formality for the regulator, but the real resilience profile of the company. The sooner you establish it, the easier it will be to obtain a license and deal with subsequent supervision.
At COREDO I always look at a project not only through the eyes of a lawyer but also those of an entrepreneur: in terms of timelines, team resources and payback. Payment services regulation in Europe is becoming increasingly complex, but it is precisely this that creates high barriers to entry and protects those players who build their business systematically.

If you plan to create or scale a payment institution or e-money institution in the EU, the COREDO team truly has a lot to offer: from choosing a jurisdiction and license architecture to the operational setup of AML, governance and IT frameworks. And the earlier you involve experts, the more decisions you’ll be able to make from a position of strength, rather than under the pressure of deadlines and regulatory requirements.

LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt