SectorPayments

Payment Institution and EMI Authorisation: FCA Requirements

How FCA authorisation works for payment and e-money firms: the API, SPI, RAISP, AEMI and SEMI categories, initial capital and own funds, safeguarding, PSD2 obligations, and what the application must evidence.

By MEMA Regulatory Team·10 min read·

What It Is

Payment and e-money authorisation is the FCA process by which firms that want to provide payment services or issue electronic money obtain permission to do so. Unlike most regulated activities, which sit under the Financial Services and Markets Act 2000, payment and e-money activities are regulated under two dedicated regimes: the Payment Services Regulations 2017 (PSRs), which implement the UK's version of the second Payment Services Directive (PSD2), and the Electronic Money Regulations 2011 (EMRs).

There are several categories of permission. Under the PSRs, a firm may become an Authorised Payment Institution (API) for the full range of payment services, a Small Payment Institution (SPI) where its payment volumes fall below a monthly threshold, or a Registered Account Information Service Provider (RAISP) where it only provides account information services. Under the EMRs, a firm may become an Authorised Electronic Money Institution (AEMI) or, below certain thresholds, a Small Electronic Money Institution (SEMI). E-money institutions can also provide payment services, so an EMI permission is broader than a PI permission.

The category a firm needs depends on what it actually does — whether it issues stored value (e-money) or only moves money (payment services), which specific payment services it provides, and its expected volumes. Getting the categorisation right at the outset is fundamental, because it determines the capital, safeguarding, and conduct requirements that apply.

Why the FCA Cares

Payments and e-money sit at the heart of the financial system, and the sector has grown rapidly with the rise of fintech, digital wallets, and embedded finance. The potential for harm is significant: customers entrust firms with their money, often in large aggregate amounts, and rely on being able to access and move it. If a firm fails, or its controls are weak, customers can lose funds, payments can be disrupted, and the system can be exploited for financial crime.

The FCA's central concern is the protection of customer funds. Because most payment and e-money firms are not covered by the Financial Services Compensation Scheme, safeguarding is the primary protection customers have. The regulator has repeatedly found safeguarding arrangements to be inadequate — funds not properly segregated, reconciliations not performed, or documentation that does not stand up — and has made safeguarding a supervisory priority, issuing detailed guidance and taking action against firms that fall short.

Financial crime is the second major concern. Payment and e-money firms can process high volumes of transactions, often cross-border and at speed, which makes them attractive to those seeking to launder money or move illicit funds. The FCA expects robust financial crime systems and controls proportionate to this risk, and financial crime failings are a common theme in enforcement against the sector.

The FCA also cares about operational and security resilience. PSD2 introduced requirements around strong customer authentication, incident reporting, and the security of payment services, reflecting the systemic importance of payments infrastructure.

Who It Affects

The regime affects a wide and growing range of firms. Money remittance businesses moving funds domestically and internationally need payment institution permissions. Payment processors and acquirers serving merchants, payment gateways, and firms offering accounts and payment functionality all fall within the PSRs. Open banking providers — account information service providers and payment initiation service providers — operate under specific permissions introduced by PSD2.

E-money issuers — prepaid card providers, digital wallet and e-wallet operators, and firms that store customer value for later spending — need e-money permissions. Many modern fintech propositions, including app-based accounts and embedded-finance products, are built on e-money institution permissions because they involve holding stored value.

The sector includes both firms whose core business is payments or e-money and firms in other industries that add payment functionality to their proposition. Marketplaces, platforms, and software businesses that handle customer money increasingly find themselves within the perimeter and needing authorisation, or needing to operate under an agency or distribution arrangement with an authorised firm.

Firms of very different sizes are affected. The small payment institution and small e-money institution categories provide a lighter-touch route for firms below the volume thresholds, while larger and higher-volume firms need full authorisation with the corresponding capital, safeguarding, and governance obligations.

What Firms Get Wrong

The most common failure is mis-categorising the permission needed. Firms sometimes apply for payment institution permissions when their model involves storing value and therefore requires e-money permissions, or they seek the wrong combination of payment services. Getting the categorisation wrong wastes time and can require re-application. The scope of the permission must match the business model precisely.

The second failure is inadequate safeguarding arrangements. This is the single most common reason payment and e-money applications and firms run into difficulty. Firms underestimate what safeguarding requires — a properly designated account, daily reconciliation, clear documentation of the method used, and controls that ensure relevant funds are identified and segregated correctly. A safeguarding approach that looks fine in principle but lacks operational rigour will not satisfy the FCA.

Third, firms under-resource financial crime controls relative to their risk. Given the transaction volumes and cross-border nature of much payments business, the FCA expects a robust business-wide risk assessment, proportionate customer due diligence, effective transaction monitoring, and a properly resourced MLRO function. Firms that treat financial crime as a light-touch obligation are a supervisory and enforcement target.

Fourth, firms underestimate capital requirements — both the initial capital and the ongoing own funds they must maintain. Capital that is adequate at authorisation can become inadequate as the business grows, and firms that do not plan for ongoing own funds find themselves in breach.

Finally, firms overlook the PSD2 operational and security requirements — strong customer authentication, incident reporting, and the security measures the regime requires. These are not optional extras; they are core obligations that the application must address and the firm must implement.

What Evidence the FCA Expects

The FCA expects a comprehensive regulatory business plan setting out the firm's model, the specific payment services or e-money activities it will provide, its target market, and its projected volumes and financials. The plan must make clear which permission category the firm is applying for and why, and demonstrate that the model is viable and sustainable.

Safeguarding evidence is central. The FCA expects a clear description of the safeguarding method (segregation or insurance/guarantee), the designated account arrangements, the reconciliation process, and the controls that ensure relevant funds are correctly identified and protected. This should be supported by documented procedures, not just a statement of intent.

Capital evidence must show that the firm holds the required initial capital and can maintain the ongoing own funds its activities require, with financial projections demonstrating adequacy under realistic and stressed scenarios.

Financial crime evidence must include a business-wide risk assessment tailored to the firm's payments risk, AML policies and procedures, customer due diligence and monitoring arrangements, and details of the MLRO function. Given the sector's risk profile, this is examined closely.

The FCA also expects evidence of governance and competent people — the individuals who will run the firm and hold key functions, their fitness and propriety, and the governance framework — as well as arrangements for operational and security risk, including strong customer authentication and incident management where applicable. Across all of this, the firm must demonstrate that it meets the conditions for authorisation under the relevant regime.

Good Implementation

A well-prepared applicant starts by categorising its permission correctly, mapping its actual business model to the payment services and e-money activities in the regime and confirming whether it stores value. This determines everything that follows, so it is worth getting right before any application work begins.

Safeguarding is designed and documented to a high standard from the outset. The firm chooses a safeguarding method appropriate to its model, sets up the designated account arrangements, builds a daily reconciliation process, and documents the whole approach clearly. It treats safeguarding as an operational discipline, not a policy statement, because that is how the FCA assesses it.

Financial crime controls are built proportionately to the firm's payments risk. The business-wide risk assessment drives the controls, transaction monitoring is calibrated to the firm's typologies, and the MLRO function is genuinely resourced — often, for smaller firms, through experienced outsourced support. Capital is planned not just to meet the initial minimum but to remain adequate as the business scales.

The firm implements the PSD2 operational and security requirements — strong customer authentication, incident reporting, and security controls — as part of building the business, so that these are demonstrable at authorisation and operational from launch.

The application itself is complete, well-evidenced, and responsive to the FCA's expectations, with a clear business plan and organised supporting evidence that anticipates the case handler's questions. This is what keeps the assessment moving and avoids the delays that incomplete applications cause.

How Our Tools Help

MEMA's free FCA Fee Calculator helps payment and e-money firms understand the regulatory fees associated with authorisation and ongoing supervision, supporting the financial planning the application requires. Our Regulatory Perimeter Assessment tool helps firms confirm which permissions their model needs — including whether their activity involves e-money or only payment services — and identify the obligations that come with each, drawing on the Payment Services Regulations, the Electronic Money Regulations, and the FCA's guidance.

Together the tools give a firm considering authorisation a structured starting point: a clear view of the permission category, the associated obligations, and the cost base, which feeds directly into the regulatory business plan.

How Our Service Helps

MEMA supports payment and e-money firms through the full authorisation process. We help firms categorise the permission correctly, prepare the regulatory business plan and financial projections, design and document safeguarding arrangements to the standard the FCA expects, build proportionate financial crime frameworks, and address the PSD2 operational and security requirements. Our team includes ex-FCA regulators and financial crime specialists who understand how payment and e-money applications are assessed.

Because safeguarding and financial crime are the areas where the FCA scrutinises this sector most closely, we focus particular attention on getting them right — building safeguarding processes and reconciliations that stand up to examination, and financial crime controls proportionate to the firm's transaction profile. For firms that need ongoing support after authorisation, we provide outsourced compliance and MLRO support tailored to the payments sector.

We also help established payment and e-money firms vary their permissions as they add services, and keep pace with the significant regulatory change underway in payments, including the FCA's evolving safeguarding regime.

Relevant Sectors

The payment services sector is the core constituency — money remitters, payment processors and acquirers, payment gateways, open banking providers, and firms embedding payments into wider propositions all operate under the Payment Services Regulations and need the appropriate authorisation or registration.

E-money firms — prepaid card providers, digital wallet operators, and app-based account providers that store customer value — operate under the Electronic Money Regulations and need e-money institution permissions, which also allow them to provide payment services.

Fintechs and technology-led firms are among the most active applicants, often building propositions on e-money or payment institution permissions and needing to navigate categorisation, safeguarding, and financial crime obligations as they scale. Marketplaces and platforms that handle customer money increasingly find themselves within the perimeter and needing either their own authorisation or an arrangement with an authorised firm.

Cryptoasset firms offering payment or e-money-like functionality alongside their crypto activities face particular complexity, as they may need to navigate both the payments regime and the emerging cryptoasset framework — an area where careful perimeter analysis is essential.

Frequently Asked Questions

What is the difference between a payment institution and an e-money institution?

A payment institution (PI) is authorised or registered under the Payment Services Regulations 2017 to provide payment services — such as executing payments, acquiring, money remittance, or account information and payment initiation. An electronic money institution (EMI) is authorised or registered under the Electronic Money Regulations 2011 to issue electronic money (a stored monetary value, such as a prepaid balance or e-wallet) as well as to provide payment services. If your model involves storing value that customers can spend later, you generally need EMI permissions; if you only move money without storing it, PI permissions may be sufficient. The distinction drives which regime, capital requirements, and safeguarding rules apply.

How much capital do you need for payment or e-money authorisation?

Authorised payment institutions need initial capital of EUR 20,000, 50,000, or 125,000 depending on the payment services provided (money remittance is the lowest, services involving holding funds the highest). Authorised e-money institutions need initial capital of EUR 350,000. Firms must also hold ongoing own funds calculated under the relevant method, which for larger firms will exceed the initial capital minimum. Small payment institutions and small e-money institutions face lower or no initial capital requirements but are subject to activity thresholds. Firms should budget for capital to be maintained on an ongoing basis, not just at authorisation.

What is safeguarding and why does it matter for authorisation?

Safeguarding is the requirement to protect customers' funds so that, if the firm fails, those funds are returned to customers rather than lost to creditors. Payment and e-money firms must safeguard relevant funds either by segregating them in a designated safeguarding account with an authorised credit institution or by covering them with an insurance policy or comparable guarantee. Safeguarding is one of the FCA's central concerns for the sector — it has issued repeated guidance and taken action where firms' safeguarding arrangements were inadequate. A credible, well-documented safeguarding approach is essential to a successful authorisation application.

How long does payment or e-money authorisation take?

The FCA has a statutory period of three months to determine a complete application for payment institution or e-money institution authorisation, though in practice the elapsed time is usually longer because the clock is affected by requests for further information and the completeness of the application. Registration as a small payment institution or small e-money institution can be quicker. As with all FCA applications, the main driver of the timeline is the quality and completeness of the submission — well-evidenced applications that anticipate the FCA's questions move faster.

payment institution authorisationEMI authorisatione-money licencePSD2safeguarding

Need help implementing this?

Our regulatory consultants can help your firm meet FCA requirements with practical, evidence-based implementation support.

Book a Free Consultation