When I launched COREDO in 2016, fintech seemed like a race of ideas. Today it’s not ideas that win, but sustainable models: legally sound, regulatorily mature, and operationally reliable. Over the years the COREDO team has implemented dozens of projects for registering legal entities in the EU and Asia, obtaining electronic money (EMI) licenses, setting up AML/CFT, and providing comprehensive support for payment businesses. In this article I have compiled what actually works, where entrepreneurs typically “lose” time and capital, and how to build a roadmap to a license so that in a year we are discussing scaling, not remediation.
Why it makes sense to build an EMI in the EU today
The EU payments market remains one of the most sizable and predictable. The EMD2 and PSD2 regulatory framework sets clear rules, and the passporting mechanism allows services to scale quickly across the Union. For many of our clients, registering a payment company in the EU is not only about access to SEPA and IBAN, but also about access to a reliable correspondent network and partnerships with leading card providers.
At the same time, EMI regulation in Europe has become more complex: the EBA has raised expectations for governance, safeguarding and cyber resilience, and national regulators are carefully testing “fit and proper” and substance. Our experience at COREDO has shown: those who win are the ones who build an operating model from day one to meet supervisory requirements, rather than trying to “fine-tune” it at the last minute.
Regulatory map: EMD2, PSD2, EBA and national regulators
At the core: the Electronic Money Directive (EMD2) and the Second Payment Services Directive (PSD2). The first defines what electronic money is and how to issue it; the second sets the framework for payment services, access to accounts and security requirements. EBA recommendations complete the picture: from governance and internal controls to incident reporting and outsourcing requirements.
National regulators — Bank of Lithuania, Central Bank of Ireland, BaFin, ACPR/ Banque de France, De Nederlandsche Bank, Banco de España and others — implement these rules through local guidance and expectations. It is important to understand the principle of home state control vs host state supervision: obtaining an EMI license in the country of domicile and operating across the EU via passporting is easier than trying to obtain several local licenses.
Choosing a country for an EMI license: a strategic crossroads
COREDO often starts with the question: how to choose an EU country with the lowest regulatory risks for an EMI license? I suggest looking at four dimensions at once: EMI capital and substance requirements, timelines for obtaining an EMI license and the regulator’s readiness to engage in dialogue, the availability of banking infrastructure and correspondent relationships, and the total cost — from licensing fees to OPEX for compliance and reporting.
Lithuanian EMI license: advantages and risks
Lithuania has become a magnet for fintech thanks to the Bank of Lithuania, its transparent processes and reasonable timelines. For companies with a clear model of issuance of electronic money and e-wallets, integration into SEPA and ready technology, this is a fast route to market. Passporting an EMI in the EU via Lithuania works predictably, and the regulator is open to constructive engagement.
Risks: a high threshold of expectations regarding substance, real management and local managers, as well as close attention to safeguarding mechanisms and correspondent banks. For COREDO clients, an important part of the project here becomes early confirmation of access to safeguarded accounts and building relationships with banks from the “white list”.
EMI license Ireland: requirements and expectations
The Central Bank of Ireland is traditionally strict on governance, the senior managers regime and independent directors. In return, Ireland provides strong access to the talent pool and the ecosystem of international payments players. Requirements for cybersecurity and operational resilience here are above average, but predictable. If your goal is partnerships with global brands and a project with a high level of risk management, Ireland is a strong option.
Malta EMI license: for fintechs with an international model
Malta is attractive for its flexibility and access to an English-language legal environment. The MFSA pays close attention to AML/CFT and outsourcing, but timelines are negotiable if you can demonstrate a mature risk-based approach and technological readiness. For fintechs planning card acquiring and multicurrency wallets, Malta can provide a good entry point, but enhanced controls on reporting and audits will be required.
Capital, own funds and safeguarding: financial resilience of EMI
Minimum initial capital for an EMI in the EU depends on the business model, but basic thresholds are defined by EMD2 and local acts. In addition to start-up capital, regulators expect own funds, calculated according to prudential requirements taking into account issuance volumes and payment operations. In COREDO’s practice, confirmation of the source of capital and the stability of funding is one of the first things we prepare for the meeting with the supervisor.
Safeguarding is the cornerstone. Requirements for the safekeeping of funds (safeguarding) imply segregation of client funds in trust accounts or segregated accounts, or insurance/guarantee mechanisms. We choose the option taking into account the availability of banks and the cost of capital. The solution developed by COREDO for one of the projects included a multi-bank safeguarding model with automatic rebalancing according to risk limits.
Correspondent banks and access to SEPA/IBAN
Key operational risk for an EMI: correspondent relationships and de-risking. Correspondent banks and EMIs often “look” at each other through the prism of industry risk statistics. Here it is important to demonstrate mature AML/CFT, a transparent ownership structure and a clear client geography. Our COREDO practice confirms: a preliminary AML audit and stress-testing of monitoring scenarios increase the chances of opening safeguarded accounts and gaining access to SEPA.
Organizational structure and substance
Subsidiary vs branch: it’s not only a matter of legal formality, but also regulatory perception. A subsidiary structure gives more sovereignty over governance and independent directors; a branch can sometimes speed up the process but is more complicated regarding local management and tax substance. I prefer the subsidiary model for an EU electronic money license if the goal is long-term scalability.
Place of effective management (mind and management), risk/audit committees and independent directors are not “tick-boxes” but the basis of dialogue with the regulator. Fit and proper tests for key executives assess not only experience but also the ability to challenge risk. In COREDO projects we set up in advance the calendar of meetings, responsibility matrices and evidence of local management involvement.
Tax substance and transfer pricing for EMIs: areas of increased scrutiny. It is important that functions and risks are located where the income arises, and that the transfer pricing policy is documented. This directly affects the perception of substance and reduces regulatory risks of an EMI license during cross-border inspections.
Licensing procedure: from the business plan to interaction with the regulator
How to obtain an EMI license is a question of discipline. The business plan for an EMI application must reflect unit economics, customer portfolio strategy, risk appetite and a governance plan. Licensing documentation includes AML policies/CFT, safeguarding, IT security, outsourcing, an incident plan, a 3–5 year financial model and a description of the technological architecture.
Fit and proper, senior managers regime and governance: an area where many waste time. The regulator assesses the management team, their powers, independence and the system of internal control. In one project the COREDO team replaced “nominal” roles with real functional leaders, added an independent director with banking experience and disclosed the risk escalation mechanism; the application passed the interview without additional cycles.
Timing and cost. Typical licensing timelines are 6–12+ months, depending on the country and the applicant’s readiness. Costs for obtaining an EMI license consist of consultants’ fees, government charges, audit costs and the launch of internal systems. Annual OPEX includes compliance, reporting, audit, AML systems, cybersecurity and the board of directors. I always advise allowing a 12–18 month financial “buffer” to withstand pauses on regulator queries.
AML/CFT and compliance: a system trusted by banks and regulators
EU regulators operate according to AMLD5/AMLD6, FATF and EBA recommendations. The working standard, a risk-based approach to AML: client segmentation, KYC/CDD by risk levels, PEP screening, sanctions screening, geographic indicators and continuous revision of risk profiles. For one client COREDO implemented KYC-as-a-Service with independent verification and centralized third-party management: this reduced CAC and simplified auditing.
Transaction monitoring is the heart of the system. You need a combination of rules, scenarios and machine learning, clear thresholds for CTR, STR procedures and escalation protocols. It’s important to ensure end-to-end traceability of the solution: from trigger to report. We often carry out a cost-benefit analysis of AML systems implementation to avoid “gold-plated” IT and preserve alerting accuracy.
Outsourcing and third-party risk is an area where regulators have become stricter. In contracts for cloud hosting and KYC providers we establish the right to audit, BCP/DR plans, data location requirements and incident reporting deadlines. The COREDO team pre-defines control points and termination criteria to avoid vendor lock-in.
Technological and operational resilience
Cybersecurity and incident reporting, a mandatory layer. You need policies on access, encryption, vulnerability management, penetration testing and response plans. Regulators expect incident reports within set deadlines and evidence of lessons learned from incidents. GDPR defines the contours of working with personal data, consents, DPIA and data subject rights.
Operational resilience is not only data centers and clouds, but also business continuity. BCP/DR should have tests, critical RTO/RPO and scenarios for loss of a correspondent bank. In one project COREDO modelled a switch to backup safeguarded accounts within 48 hours: that proved the operational model’s maturity to the regulator.
Tokenization and stablecoins are a borderline area. E-money is the issuer’s obligation, not a crypto-asset. If the product involves work with stablecoins or tokenization, it’s important to clearly separate payment services and any digital asset elements so as not to exceed the scope of the EU electronic money license and to avoid falling under additional regimes. We pre-agree the architecture with the regulator to avoid surprises.
Market strategy and ROI
ROI metrics for an EMI should be pragmatic: CAC by segments, LTV accounting for churn and interbank fees, unit economics by product, payback period. I ask teams to show base, realistic and stress scenarios, including de-risking by banks and delays in integrations.
Passporting and scaling in the EU is a strong driver of ROI. But remember host state supervision: some countries impose additional requirements on notifications, marketing localization or reporting. At the initial stage we focus on 3–5 countries with the best ratio of market size to requirements.
Scaling in Asia and the Middle East requires different approaches. Singapore and Dubai have separate licensing regimes; EU passporting does not work there. COREDO supports clients in these jurisdictions through local licenses and partnerships, often using the European EMI as an “anchor” center of competence and risk management.
Risks and scenarios: from revocation to remediation plans
Grounds for license revocation: systemic safeguarding failures, insufficient capital, weak AML/CFT, a management vacuum, critical incidents without remediation. In COREDO’s roadmap there is always a playbook: triggers for capital reinforcement, quick provider replacement, AML forensics and communication with the regulator.
How to minimize regulatory risks when entering the EU market? First, a transparent ownership structure and beneficial ownership registers. Second, substance and the place of real management. Third, a stress-test of own funds and a plan in case of transactional volume growth. Fourth, regular internal audits and independent AML/CFT reviews.
Exit strategy and M&A. EMI: an asset whose value depends on compliance quality. We pre-plan options: portfolio sale, merger, conversion to another license type, transfer of operations between subsidiaries and branches (corporate structure rework). Such flexibility reduces risks and increases ROI.
COREDO Case Studies
- Registration of a payment company in the EU with passporting. Client: a multcontinental group, target segment: SMB cross-border. We prepared the business plan, financial model, governance, substance, conducted a fit-and-proper assessment, obtained an EMI license and set up passporting for five countries. Result, entry into SEPA in 10 months and stable access to correspondent banks.
- Launch of an EMI for a crypto-fiat on-ramp. Task: clear separation of e-money and digital assets. The COREDO team developed a tokenization policy, AML/CFT for conversion scenarios, sanctions screening and transaction monitoring. The regulator accepted the architecture, correspondent banks approved safeguarded accounts provided that flows were segregated.
- AML remediation and restoration of banking access. The client faced de-risking and a requirement to strengthen monitoring. COREDO’s practice proved effective: targeted calibration of scenarios, implementation of independent KYC and team training, revision of thresholds for STR/CTR. Within 90 days we restored two correspondent lines and closed the regulatory order.
Answers to common strategic questions
- What are the key regulatory risks for a business when opening an EMI in the EU and how to mitigate them? These are capital adequacy, safeguarding, AML/CFT, governance and cyber resilience. We mitigate them through early gap analysis, capital stress testing, an independent AML audit, BCP/DR and an incident reporting plan.
- How to compare licensing cost, capital requirements and time-to-market? We build a matrix: country × time-to-market × minimum capital × banking availability × OPEX. We take into account license fees and administrative expenses, as well as cost of compliance over a 3-year horizon.
- Which ROI metrics to use? CAC, LTV, unit economics by transaction types, share of safeguarding cost in revenue, payback and NPV with a risk discount.
- How to structure a corporate group and operating model to scale across Europe and Asia? A subsidiary in the EU as the licensing hub, branches for operations and marketing, separate local licenses in Asia, shared services for IT/AML, and a transparent TP model.
- What are the long-term consequences for banking access from choosing a jurisdiction? The choice of country affects banks’ perception, the speed of account openings, access to SEPA and partnerships with card schemes. A jurisdiction with strong supervision can increase banks’ trust, but will require higher OPEX.
- Which exit scenarios and license revocation risks should be planned for in advance? A remediation plan, capital strengthening under stress, provider switch options, M&A and mothballing operations with protection of client funds.
- What requirements for the place of effective management and substance are critical? Local directors, making key decisions in the licensing country, physical presence, independent committees and documented functions.
- What is the typical cost of annual compliance (OPEX) and how to optimize it? It includes audit and reporting for EMI, AML systems, cybersecurity, board of directors, software licenses. We optimize through risk-oriented outsourcing, KYC-as-a-Service, harmonizing reporting under the EBA and automation of monitoring.
Practical checklist from COREDO before applying to an EMI
- Confirm minimum own capital and sources of funds, calculate own funds according to prudential requirements taking into account peak volumes.
- Demonstrate safeguarding mechanisms: agreements for trust/segregated accounts, daily reconciliation policy, backup bank.
- Establish governance: independent directors, committees, authority matrix, conflicts of interest policy.
- Build AML/CFT: KYC/CDD, PEP and sanctions screening, transaction monitoring, STR/CTR, training, internal audit.
- Prepare the technology base: cybersecurity requirements for EMI, incident log, BCP/DR plan, DPIA under GDPR.
- Describe outsourcing and third-party management: SLA, audit rights, data location, replacement plans.
- Develop a market entry strategy and financial model: ROI, CAC/LTV, de-risking scenarios, a map of passporting and local requirements.
How we work at COREDO: process, roles, transparency
The project roadmap typically includes four stages: pre-licensing diagnostics and jurisdiction strategy; governance, AML, and IT architecture; compilation and submission of the application package, interaction with the regulator; launch of operations, passporting, and reporting setup. Each phase has readiness metrics and checkpoints, and communications follow the timeline agreed upon at the start.
I am personally responsible for key negotiations with the regulator and complex structural crossroads. It is important to me that the application reflects the real business and withstands scrutiny not only at the licensing stage but also after two years of active growth. In projects where COREDO acts as a long-term partner, the speed of decision-making and transparency of processes become our shared competitive advantages.
Conclusion: what to do now
- Identify target markets and align them with passporting opportunities. If Asia is a priority, add local licenses to the scaling plan.
- Conduct an honest gap analysis on capital, safeguarding, AML/CFT and IT. Fix the gaps before engaging with the regulator.
- Prepare the team for fit and proper: real roles, independent directors, a clear governance calendar.
- Early dialogue with correspondent banks is critical. Without safeguarded accounts, a license doesn’t turn into a business.
- Assess ROI and OPEX across three scenarios. A strong financial model is your language with the regulator and banks.
COREDO builds projects that are a pleasure to look at years later. If you’re designing an EMI license in the EU, looking for answers on PSD2 and EMI licensing, planning passporting and a bank relationship strategy, we have practical solutions and the experience to deliver results. Contact us, and together we’ll turn your idea into a sustainable payments business.