EMI / PI licensing-success forensic register (EEA + UK)

Last reviewed 2026-05-03  ·  Version 1.0.0  ·  Evidence cutoff 2026-05-03

The Electronic Money Institution and Payment Institution market across the EEA and the UK looks, from a distance, like a single deep pool of more than thirty national licence routes. It is not. Three observable success routes dominate the population, the failure surface is concentrated in five recurring control gaps, and apparent volume in any one jurisdiction does not translate into supervisory tolerance for thin applicants.

This analysis treats the verified-floor population of 571 successful records as a positive-control benchmark, supplements it with named public-enforcement cases across nine regulators, and maps the patterns that separate higher-probability applicants from weak ones. The forensic graph below is the navigational view of the register itself — every entity connected to its home Member State and regulatory institution class, with service-scope breadth encoded by node size. Filter by jurisdiction × institution class × scope, or search by entity name, to subset the population. The full forensic dataset — cleaned benchmark, applicant archetypes, red-flag checklist, readiness scorecard, PSD3 forward-look — is available under briefing scope; contact partnership@finray.tech.

Companion artefact: the failure side of the survival curve — every authorisation that was revoked, cancelled, voluntarily returned, or failed regime transition across the same regulator perimeter — sits at EMI / PI authorisation-withdrawal forensic register. Reading the success and failure registers together is the only honest way to interpret either one.

Population landscape

The verified-floor population (data anchor 2 May 2026) is led by the UK FCA E-Money register at 289 currently active firms, with 264 Authorised EMIs and 25 Small EMIs. The Netherlands contributes 155 active EMI and PI rows from the DNB machine-readable register, refreshed daily at 06:00 local. Lithuania contributes 111 EMI and PI rows from the Bank of Lithuania participant list, which uniquely exposes sanctions and consumer-dispute counters per visible entry. Croatia contributes 16 EMI and PI rows plus three AISP-only registrations from the HNB current register.

This is not a complete EEA + UK census. The EBA EUCLID Payment Institutions Register (PIR) is the authoritative central anchor, but its bulk-extraction endpoint was not safely retrievable from the benchmark session — the public interface is a session-bound JS-rendered SPA and the underlying API is gated to anonymous fetches. Any jurisdiction not represented above is a coverage gap, not an absence. The structural ranking by supervisory style of the unrepresented jurisdictions is documented in the reference index at the page foot.

Volume in any one jurisdiction is not a proxy for either low or high standards. The EBA’s 2023 peer review on PSD2 authorisations and its 2025 follow-up both found that significant supervisory-practice differences remain across competent authorities, particularly in governance, internal controls and local substance. A high-volume licensing jurisdiction is not automatically a low-friction one. The Bank of Lithuania revocation cluster — Foxpay 2024, Kevin EU 2025, Lock Trust 2025, PAYRNET 2023 — is decisive evidence that a permissive-looking authorisation NCA can become a strict supervision NCA. Choosing an NCA “for speed” without establishing local mind-and-management, AML at scale, and ICT/DORA controls produces a higher revocation risk after authorisation.

Service mix and what it implies

Direct measurement of service breadth requires per-entity service flags from the EBA register or from a row-level NCA download. In the verified subset of 171 firms with observable service codes (DNB EMI + DNB PI + HNB transcribed register), the dominant services are service 3 (payment execution) and service 5 (issuing or acquiring of payment instruments). Services 7 (Payment Initiation Service) and 8 (Account Information Service) are materially present and growing — the open-banking Third Party Provider population has roughly doubled across the EEA between 2020 and 2024 on third-party aggregate data. Services 1 and 2 (cash placement / withdrawal) are concentrated in branch-thin specialists and ATM operators.

The most common multi-service combination across the observable subset is the bundle 3|5 — execution plus issuing or acquiring — appearing in 47 firms. The next most common is 3|5|7|8 — execution plus issuing/acquiring plus the PIS / AIS open-banking overlay. Adding services 1, 2 or service 6 (money remittance) shifts the firm into a different operational profile. Very broad scope (six or more services) is rare across the observable subset and is generally associated with established multi-jurisdiction PSPs, not with new applicants.

Timing waves

The directly verifiable monthly view is the UK FCA E-Money cohort over the last 36 months: counts range from zero to five effective-date entries per month, peaking February and March 2025. This gives a normalised UK pace of roughly two EMI authorisations per month over the last three years, with no observable post-PSD3-agreement burst. The 2024 cohort is 20 effective-date entries, 2025 is 25, and 2026-to-date is 14 (FCA CSV cut-off 2 May 2026).

A larger structural pattern, observable from a combination of NCA peer-review evidence and the FCA timing series, is that the 2024–2026 cohort is markedly smaller than the 2018–2021 cohort. This is consistent with the post-Wirecard, post-Solaris-fine, post-Foxpay tightening across the EEA — applications still flow, but the average preparation depth and AML/safeguarding evidence quality required at filing has materially increased.

Five institution classes

The five institution-class anchors in the graph above correspond to the five regulatory tiers visible in the verified-floor benchmark. Counts are exact; success-probability bands are derived from observable patterns in the positive-control population plus regulator-signal frequency in the named-enforcement dataset.

• Authorised EMI (293 of 571 records — 65–80% application success probability where the operating model is coherent). Full Electronic Money Institution authorisation under EMD2. Highest evidentiary bar in the population: full safeguarding, full DORA scope, full passporting where the home NCA grants it. Most multi-service neobanks and broad-scope PSPs sit here.
• Authorised PI (115 of 571 records — 70–85% where the service mix is narrow). Full Payment Institution authorisation under PSD2. No e-money issuance. Service mix typically narrower than authorised EMIs — execution plus acquiring or remittance, with PIS / AIS overlays for the open-banking cohort.
• Light-regime EMI (122 of 571 records — 60–80%, with attrition risk that materially exceeds the application risk). Small + restricted + exempted + non-limited EMI tiers. Easier entry, but the UK Small EMI cohort attrition rate is approximately 38% of all firms ever in the register (124 cancelled-Authorised plus 35 cancelled-Small plus 19 EMD-revoked, against 467 ever-active). Easy entry is not the same as easy continuation.
• Light-regime PI (38 of 571 records — 65–80%). Exempted-PI status under national PSD2 implementations. Frequently money-remittance specialists, narrow domestic execution-only operators, or single-customer-segment PSPs.
• AISP-only (3 of 571 records — 75–90% where the operating model is genuinely read-only). Account Information Service Provider registration under PSD2 Article 33. Lighter regime; not equivalent to PI authorisation. No funds handled, so safeguarding does not apply, but ICT / DORA and customer-data protection obligations remain.

A sixth, anti-pattern profile — generic policies, aspirational board, no clear local executives, fuzzy outsourced core, scope list longer than the actual product roadmap — does not appear as a node in the graph above by construction. It is the common failure shape and self-disqualifies rather than maps to a particular institution class.

Failure pattern is structural, not regulatory

There is no public EU-wide rejection register. The negative dataset is a weak-control set: register-status cohorts (UK FCA cancelled and EMD-revoked entries), public Final Notices and equivalent regulator publications, and supervisory news pages. Every named case below is a public-record enforcement action with a reachable primary-source URL.

The named cluster spans nine regulators across the EEA and the UK in 2023–2025. The Bank of Lithuania pattern is the sharpest: an EMI revocation in 2024 for “serious and systematic breaches of legal acts regulating the prevention of money laundering and terrorist financing, safeguarding of client funds” (Foxpay); a PI revocation in 2025 where the firm “failed to meet the minimum own funds and initial capital requirements for almost two consecutive quarters” (Kevin EU); a second PI revocation in 2025 on governance and fit-and-proper grounds (Lock Trust); and a 2023 EMI revocation in the canonical outsourcing/intermediary-supervision case (PAYRNET).

The Swedish Finansinspektionen pattern: a SEK 500m AML remark and warning issued in December 2024 (Klarna), and an authorisation withdrawal for “extensive and serious deficiencies” in AML/CFT in 2025 (Intergiro). The French ACPR: a €1m EMI penalty in 2024 for “very serious violations affecting fundamental elements of the AML/CFT system, particularly an inadequate and insufficiently discriminatory risk profile determination” (Treezor). The Luxembourg CSSF: an administrative penalty in 2024 for AML-framework non-compliance (Sogexia). The Dutch DNB: a money-exchange / PI licence withdrawal in 2023 with the objection rejected in 2024, on grounds of inability to “safeguard sound and ethical business operations” plus persistent IT problems and a parallel criminal investigation (Suri-Change). The Maltese MFSA: a cease-onboarding directive in 2024 until “governance and internal controls” were in place (Em@ney). The Irish CBI: a €324,240 reprimand-and-fine in 2024 on a PI for safeguarding funds in UK accounts in the name of a UK affiliate, “which was not in accordance with the requirements of the Payment Services Regulations 2018” (BlueSnap). The Spanish BdE: 2025 BOE sanctions against a PI for capital insufficiency (Divilo) and against an indirect shareholder for qualifying-holding non-notification. The UK FCA: the first-ever EMR enforcement action in 2024 imposing a £3.5m monetary penalty for breach of a voluntary requirement preventing onboarding of high-risk customers (CB Payments), and a 2024 cancellation grounded on “failing to deal with the Authority in an open and co-operative way” (Toza). The German BaFin pattern is structurally similar — the Solaris €6.5m AML fine in 2024 — and is the supervisory signal that embedded-finance and BaaS supervision has tightened materially.

Reading these signals as a class: weak applicants fail or stall because they ask the supervisor to trust assertions. Successful applicants supply evidence. An EMI or PI application is not a policy-writing exercise — it is a test of whether the business can operate exactly as described, under an identifiable EU or UK entity, with real people, real systems, real capital and auditable controls.

Hard-blocker control areas

Across the verified weak-control dataset, three control areas are responsible for the majority of revocations and Final Notices, and each appears as both an application-stage blocker and a post-authorisation revocation cause.

AML/CFT failure is present in roughly half of all verified rows — paper-only firm-wide risk assessment without product-level scenarios, un-tuned transaction monitoring, weak Enhanced Due Diligence on high-risk segments, Suspicious Activity Report pipeline gaps. The Klarna remark is the structural lesson: the Enterprise-Wide Risk Assessment must contain assessments of how the firm’s products and services could specifically be used for money laundering — generic firm-level statements fail.

Safeguarding failure is the second cluster — single-credit-institution concentration, safeguarding outside the home Member State, weak daily reconciliation, mis-categorised funds. The CBI BlueSnap reprimand is the structural lesson: safeguarding outside the home Member State, or in the name of a non-MS affiliate, breaches the Payment Services Regulations.

Governance / ICT / outsourcing is the third cluster — fit-and-proper failures at the head of the firm, ICT risk register absent, persistent IT problems, outsourcing critical functions without right-of-supervisory-access. The MFSA Em@ney directive is the structural lesson: governance and internal controls must be in place before customer onboarding, not retrofitted to it.

A fourth cluster — capital and own-funds insufficiency — is less frequent in absolute count but appears in two recent Bank of Lithuania revocations and one BdE BOE sanction. Capital must support the claimed scope under stressed assumptions, not optimistic ones.

Service-scope realism

In the 171-firm subset where scope is observable, narrow scope (1–2 services) dominates at 127 records. Moderate scope (3–4 services) accounts for 28, and broad scope (5–7 services) accounts for 16. Very broad scope (all 8 services) is not present in the observable subset. The 400 records where service codes are not observable include the entire FCA UK EMI download (the file does not expose Annex I service flags) and the Bank of Lithuania participant list page (service maps are not exposed at list level).

This supports a sequencing lesson visible across the success population: applicants that start with coherent narrow service bundles avoid self-inflicted contradictions in their evidence pack. Applicants who later achieved broad scope almost always achieved it via a later scope variation, not a one-shot broad-scope greenfield application. Capital, AML, ICT and safeguarding evidence are easier to validate against a coherent narrow scope; the NCA can accept incremental scope variations as the firm builds operating evidence.

Application-readiness scorecard

The application-readiness scorecard is a 10-category weighted instrument with hard-blocker caps. Categories: governance (12%), AML/CFT (15%), safeguarding (15%), ICT and DORA (12%), outsourcing (7%), capital and financial resources (10%), service-scope realism (7%), conduct and marketing alignment (7%), fit-and-proper (10%), evidence quality (5%). Hard blockers — AML/CFT credibility, safeguarding diversification, ICT/DORA implementation, capital adequacy, fit-and-proper at senior management, governance independence — cap the total score regardless of strength elsewhere. A firm that scores 95% on every other dimension but fails the safeguarding hard-blocker fails the gate. This mirrors the supervisory pattern visible in the verified enforcement dataset: AML, safeguarding and ICT are the three control areas where supervisors will not extend tolerance.

The full scorecard, the named-case red-flag checklist, the cleaned benchmark CSV (with confidence-scored business-model classifications), the 23-row weak-control dataset, the success-vs-failure matrix and 18 derived datasets are available as a forensic pack under briefing scope. Email partnership@finray.tech with the subject line “EMI/PI forensic pack”.

PSD3 / PSR forward-look

On 27 November 2025 the European Parliament and the Council reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR). Formal adoption and Official Journal publication are expected in 2026, with an 18-month transitional period thereafter. The most material changes for applicants and licensees are: a new safeguarding option using direct accounts at central banks (subject to central-bank discretion); explicit safeguarding-method diversification requirements (no single safeguarding method for the totality of customer funds); strengthened own-funds and prudential reporting rules; and convergence of the EMD2 and PSD2 perimeters into a single PSR.

EBA Opinion EBA/Op/2025/08 (June 2025) on the PSD2 / MiCA interplay is a parallel pre-PSD3 supervisory steer relevant to e-money token issuers operating under the dual EMD2 + MiCA perimeter. EBA Guidelines 2024/14 and 2024/15 on internal policies, procedures and controls for restrictive measures apply from 30 December 2025. Applicants in flight should expect their NCA to test PSD3-readiness in addition to current PSD2 compliance.

Methodology and caveats

The benchmark population is the verified-floor extraction of four regulator registers as of 2 May 2026: the FCA E-Money Firms download (UK, 467 rows of which 289 currently active EMI/PI/Small EMI), the DNB machine-readable EMI and PI register downloads (Netherlands, 155 active rows), the Bank of Lithuania financial-market-participants list (Lithuania, 111 active rows manually transcribed because the page is JS-rendered behind a Cloudflare challenge for non-browser sessions), and the HNB register of payment service providers and electronic money issuers (Croatia, 16 EMI/PI rows plus three AISP-only registrations, manually transcribed from the public landing page).

This is not a complete EEA + UK census. The EBA EUCLID Payment Institutions Register at eba.europa.eu is the authoritative central register, but its bulk-extraction endpoint was not safely retrievable from the benchmark run. Per-NCA registers in jurisdictions not represented above (BaFin, MFSA, Banca d’Italia, Banco de España, ACPR, CSSF, CBI, FSMA Belgium, Banco de Portugal, KNF, CNB, Latvijas Banka, FSA Estonia, FIN-FSA, Finanstilsynet Denmark and Norway, Finansinspektionen Sweden, NBS) were variously Cloudflare-protected, JS-rendered or non-machine-readable in this run. The structural ranking of those jurisdictions, anchored in named public-enforcement signals, is documented in the reference index below.

Cleaning steps: DNB EMI and PI CSV downloads were parsed at the entity level using active home-register rows with blank end dates, then aggregated by relation number; outgoing passport countries were counted from active outgoing-passport rows. HNB rows were manually transcribed because direct file fetches were unstable in the run, but the current-register landing page and row text were public. Lithuania rows were manually transcribed from the live participant lists. UK benchmark rows were taken from the FCA E-Money Firms download, limited to active statuses (Authorised Electronic Money Institution and Small Electronic Money Institution). Business-model classification is an inference layer built from institution names, known-brand overrides and service codes where available, with confidence scoring; it is a useful analytical layer, not a register fact.

A record in a register is treated as positive-control evidence of authorisation or registration, but not as evidence that the firm is low risk or free of later supervisory concerns. Absence from a register is not treated as rejection — most NCAs do not publish refusal lists, and applicants who withdraw before refusal do not appear anywhere. The supervisory-quality picture is therefore drawn from post-authorisation enforcement, not from refusal data. This is an important caveat for any quantitative use of “success rate”: the denominator is unobservable.

This analysis is research, not legal advice. Applicants should validate any jurisdictional or service-scope inference against their own counsel and the relevant national competent authority before action. Finray Technologies Ltd is not a bank, payment institution, e-money institution, CASP or licensed financial intermediary of any kind.