Carrying on e-money business in the UK requires FCA authorisation under the Electronic Money Regulations 2011 (EMRs). The UK recognises two regimes: small EMI (average outstanding e-money below €5 million, simplified regime) and authorised EMI (full authorisation, £350,000 initial capital plus ongoing capital requirements). This guide breaks the authorised EMI application into nine practical steps — from pre-application through post-approval operational set-up — written for international fintechs entering the UK e-money market. Typical duration 9-15 months, total cost £150,000-£400,000 plus the £350K regulatory capital.
Quick reference
- Legal basis: Electronic Money Regulations 2011 (EMRs), SI 2011/99.
- Regulator: FCA — Authorisations Division.
- Two regimes: Small EMI (outstanding e-money <€5M, simplified) and Authorised EMI (full authorisation).
- Capital: Small EMI nominal / none; Authorised EMI £350,000 initial + ongoing capital requirement (2% of average outstanding e-money).
- Safeguarding: customer funds must be segregated — segregation account or insurance/guarantee.
- Typical duration: 9-15 months; complex cases 18+ months.
- Cost: £150,000-£400,000 (excluding regulatory capital).
- Post-Brexit: no passporting; a UK authorisation is valid only in the UK.
Small EMI vs authorised EMI — which?
Decision matrix:
| Factor | Small EMI | Authorised EMI |
|---|---|---|
| Outstanding e-money limit | Monthly average < €5M | None |
| Per-customer e-money limit | €15,000 (per consumer) | None |
| Capital requirement | Nominal | £350,000 + ongoing |
| Authorisation timeline | 3-6 months | 9-15 months |
| Cost | £50,000-£150,000 | £150,000-£400,000 |
| Passporting | Never had | Lost at Brexit |
| Senior management | Less formal | Full SMCR scope |
| Reporting | Light | Comprehensive (FIN049, REP-CRIM, capital adequacy) |
Practical guidance: a product-market-fit-stage start-up may sensibly begin as a small EMI; an investor-backed firm with explicit scale ambitions should invest in authorised EMI upfront.
This guide focuses on authorised EMI.
Step 1: Pre-application
The FCA has a formal pre-application process for EMI applications. Meetings with the Authorisations Division are requested by email.
Bring to the pre-application meeting:
- A business model summary (3-5 pages)
- Proposed UK products and customer segments
- Senior management structure (org chart + key person CVs)
- Evidence of financial capacity (investor commitments, funding structure)
- A high-level IT architecture diagram
- A conceptual outline of the safeguarding approach
Value of pre-application: an early signal from the FCA on whether the business model should be assessed as an authorised EMI, a payment institution or another category. Categorisation changes are easier to absorb before the application is built.
Pre-application is not mandatory but skipping it materially increases the risk of an RFI storm later in the process.
Step 2: Regulatory business plan
The regulatory business plan is the core document of the EMI application. It typically runs 50-100 pages covering:
(a) Executive summary: firm, founders, vision, plan summary.
(b) Business model: e-money product detail, customer segments (B2C / B2B / institutional), revenue model, fee structure, partners (BIN sponsor, programme manager, processor).
(c) Market analysis: UK e-money market, competitors, positioning.
(d) Financial projections: 3-5 year revenue and cost forecasts, capital adequacy, customer base, average transaction size, churn and growth assumptions.
(e) Operational architecture: customer onboarding flow, KYC process, card issuance (if any), transaction processing, settlement.
(f) Risk management: written policies on financial crime, operational, cyber, credit (if any) and market risk.
(g) Governance: board, committee structure, lines of authority, SMCR appointments.
(h) Wind-down plan: how customer funds and data will be handled if the firm must cease operations — an area the FCA has emphasised heavily since 2023.
The business plan's technical realism is closely tested. Generic "we will provide banking-as-a-service for fintechs" is not enough — the FCA wants specific products, specific customer segments, specific integrations.
Step 3: Financial crime framework and AML policies
As an EMI you fall under MLR 2017 — bank-level AML/CTF obligations. The financial crime framework should include:
- Money laundering risk assessment: product, customer, geography and distribution-channel risk.
- CDD policy: digital onboarding (NFC, liveness, video), beneficial ownership, ongoing monitoring.
- EDD policy: PEP, high-risk country, anomalous transaction triggers.
- Sanctions screening policy: OFSI and global lists.
- Transaction monitoring scenarios: structuring, rapid layering, geography risk.
- SAR reporting: NCA line, MLRO appointment (SMF17), tipping-off prohibition.
Our UK MLR 2017 explainer covers the regulation in depth. In an EMI application, AML policies must demonstrate "operational liveness" — not just documented but integrated with IT systems and actually running.
Step 4: Safeguarding plan — the critical document
EMRs Regulations 20-22 mandate safeguarding of customer funds. An authorised EMI chooses one of two methods:
Method 1 — Segregation account: customer funds are held in an account separate from the firm's own money. The segregation account is ring-fenced; in insolvency it does not fall into the firm's estate.
Method 2 — Insurance or guarantee: an insurance policy or bank guarantee covering customer funds. Less common in practice because of cost.
The safeguarding plan should cover:
- Method chosen (typically segregation account)
- Which bank or banking partner will be used
- Frequency of transfers of customer funds to the segregation account (D+0, D+1)
- Reconciliation process — daily customer fund balance vs segregation account balance
- Wind-down procedure for returning customer funds
FCA focus post-2022: enforcement actions for safeguarding breaches have noticeably increased since Wirecard. An area once treated with light review is now scrutinised in depth at the application stage.
Step 5: IT systems and cyber security
The FCA expects detailed documentation of IT architecture in the EMI application:
- High-level system architecture: core ledger, onboarding, KYC, transaction monitoring, reporting, external integrations.
- Vendor inventory: third-party providers in use (BIN sponsor, processor, KYC vendor, AML screening vendor, Travel Rule (if crypto-adjacent)).
- Outsourcing controls: for critical outsourcing, written contracts, SLAs, audit rights, exit plans.
- Cyber security policy: data protection, incident response, BCP/DR.
- GDPR compliance: customer data protection, exercise of data subject rights.
- Penetration testing: annual or after major changes.
The FCA is particularly focused on operational resilience (post-PS21/3) — meaning "Important Business Services" must be identified, with documented Impact Tolerances.
Step 6: SMCR — Senior Managers and Certification Regime
All UK authorised EMIs are subject to SMCR. The three-layer structure:
(1) Senior Manager Regime (SMR): certain senior roles are defined as Senior Management Functions (SMFs). Typical EMI appointments:
- SMF1 — Chief Executive
- SMF3 — Executive Director
- SMF16 — Compliance Oversight
- SMF17 — Money Laundering Reporting Officer (MLRO)
- SMF24 — Chief Operations function (where complexity warrants)
- SMF27 — Partner (for LLP structures)
For each SMF, a Statement of Responsibilities is written — the individual's scope is documented, with personal accountability.
(2) Certification Regime: annual fit-and-proper certification for individuals whose roles can significantly affect customers or pose material risk.
(3) Conduct Rules: behavioural rules applied to all staff.
Critical point for international firms: SMF1 (CEO) and SMF17 (MLRO) must be UK-resident with genuine decision-making authority. The FCA detects "title only" appointments quickly and refuses at the gateway stage.
Step 7: Application via the Connect portal
The FCA EMI application is submitted via the Connect online portal. A typical application pack:
- Firm details, corporate structure, ownership
- Senior management list and SMF Form A packs
- Regulatory business plan (uploaded)
- Financial crime framework, AML policies
- Safeguarding plan
- IT/cyber security policy
- Capital adequacy evidence (£350K + recommended additional buffer)
- 3-year financial projections
- Wind-down plan
Application fee: typically £5,000-£15,000 for authorised EMI (varies with firm complexity).
Once submitted, the FCA Authorisations Division assigns a case officer.
Step 8: FCA assessment and the RFI process
FCA EMI assessment takes 9-15 months with three to seven RFI rounds. Typical RFI themes:
- Safeguarding bank selection and contractual detail
- Realism of financial projections (especially revenue side)
- Genuine decision-making authority of UK-resident SMFs
- Operational detail of AML/financial crime framework
- Quality of IT vendors and outsourcing controls
- Practicality of the wind-down plan
- Customer journey and operational risk
- Customer payment flow test results
Fast, detailed RFI responses materially shorten the assessment timeline. If after two or three rounds foundational questions are still being asked, the case officer will question whether the applicant is ready.
Step 9: Approval, operational set-up and ongoing obligations
The FCA reaches one of three outcomes:
- Authorised — the firm is added to the EMI register. Final after a 28-day appeal window.
- Refused — written reasoned decision; right of appeal to the Upper Tribunal.
- Minded to refuse — opportunity to withdraw.
Ongoing obligations after authorisation:
- FIN049 (capital adequacy) and FIN071 (transaction volume) — quarterly
- REP-CRIM (financial crime) — annual
- Annual safeguarding audit — independent auditor report
- Material change notification: business model, product, ownership, SMF changes
- Operational resilience reporting
- Principle 11 notifications: timely reporting of significant incidents
- SAR reporting: to the NCA
- Annual SMCR review: SMF Statement of Responsibilities and fitness refresh
Realistic cost and timeline
| Item | Range |
|---|---|
| UK legal counsel / authorisation adviser | £40,000 - £150,000 |
| Compliance / AML consultancy | £30,000 - £100,000 |
| Business plan / financial projection consultancy | £15,000 - £50,000 |
| IT architecture and safeguarding set-up | £30,000 - £150,000 |
| Audit and insurance | £15,000 - £50,000 |
| FCA application fee | £5,000 - £15,000 |
| UK-resident senior management (Year 1) | £200,000 - £400,000 |
| Regulatory capital (£350K) | £350,000 |
| Total (including capital) | £685,000 - £1,265,000 |
| Cost (excluding capital) | £335,000 - £915,000 |
Timeline: 9-15 months from pre-application to approval is typical. Complex cases run 18-24 months.
Pass rate: roughly 30% of FCA gateway applications are withdrawn or refused. Most refusals or withdrawals stem from safeguarding plans, IT architecture realism, or absent UK-resident SMFs.
Common pitfalls for international firms
1. The passporting illusion: pre-Brexit a UK licence carried EU passporting rights and an EU licence carried UK rights. Those rights ended on 31 December 2020. A UK licence is needed for the UK market, and a separate EU licence for the EU market. If the EU is on your roadmap, consider a parallel Lithuanian, Irish or Maltese EU EMI authorisation — our EMD2 explainer covers the EU side.
2. Missing UK-resident SMFs: "appoint a CEO from Istanbul" does not work. SMF1 and SMF17 must be UK-resident with genuine decision-making authority. Budget £200K+ annual UK senior-management cost.
3. Difficulty obtaining a safeguarding bank: the UK has a limited pool of banks willing to provide safeguarding accounts to fintechs (ClearBank, Currencycloud, BCB Group and similar specialty banks). Mainstream banks (Barclays, HSBC) are typically closed to fintech start-ups. Engage the bank before submitting; "we will find one after approval" triggers RFIs.
4. No buffer above £350K capital: the FCA mandates £350K initial capital but expects to see a buffer above the operational capital adequacy requirement (typically an extra £150K-£300K). An application at exactly £350K signals thin margin.
5. Superficial wind-down plan: since 2022 the FCA looks closely at wind-down plans — particularly the step-by-step customer fund return scenario and the financial capacity to execute it.
Frequently asked questions
How does UK EMI authorisation compare to EU EMD2 authorisation?
The core structure is similar — both built on safeguarding, capital, governance and AML. But post-Brexit the UK is developing MLR 2017 and EMRs independently; AMLD5/6 and the upcoming AMLR do not apply in the UK. UK SMCR applies more aggressive individual accountability; the EU equivalent (e.g. Senior Management Function appointments) is less detailed. Passporting works within the EU but not into the UK. Supervisor style also differs across EU regulators (BaFin, Bank of Lithuania, MFSA) and the FCA — the FCA typically runs tighter RFIs and a more active enforcement function.
Can I start as a small EMI and later upgrade to authorised EMI?
Yes — a common path. Start as a small EMI to validate product-market fit, then apply for authorised EMI as outstanding e-money approaches the €5M ceiling. The upgrade application takes as long as a fresh authorised EMI application (9-15 months), but operational track record and a real customer base provide strong evidence. During the transition you must not exceed the €5M threshold; the FCA monitors this closely.
Is a UK-resident legal entity required for UK EMI authorisation?
Yes — FCA authorisation requires a UK Ltd, UK LLP or other UK legal entity. A UK branch of a foreign company is permissible but introduces additional complexity; most fintechs prefer to incorporate a UK Ltd. UK Ltd registration fees are nominal (£12); incorporation typically takes 1-2 weeks.
What is the difference between an EMI and a payment institution (PI)?
An EMI issues e-money — taking customer funds and holding them as digital value (card balance, account balance, wallet balance). A PI provides payment services — payment initiation, account information services, money remittance. A UK firm can be both (offering EMI + PI services) or only a PI. PI authorisation generally takes less time (6-9 months) and requires lower capital (£20K-£125K depending on service). If you are not issuing e-money — only moving funds — PI authorisation is sufficient.
Is the post-Brexit TPR still an alternative for EU firms entering the UK?
The Temporary Permissions Regime was a transitional authorisation regime for Brexit, designed for firms already operating in the UK under EU passporting rights. Years after Brexit, TPR was wound down gradually — by 2023-2024 no new TPR entries are accepted, and firms in TPR had to either obtain full FCA authorisation or exit the UK. For new applicants, TPR is not an alternative; a standard FCA EMI application is the only route.
How Legichain helps
In the UK EMI authorisation process, documenting the AML/financial crime framework is typically one of the heaviest workstreams. Legichain's infrastructure aligns with the UK MLR 2017 + JMLSG framework: OFSI sanctions screening, UK PEP data layer, beneficial ownership integration with Companies House PSC, transaction monitoring scenario engine and NCA SAR auto-formatting. Our AML screening API match-grouping layer reduces false-positive workload by over 80% at authorised EMI scale. Our digital KYC module supports NFC + liveness + video verification compliant with UK regulation. The e-money institution solutions page covers authorised EMI architecture detail; pre-built integration lets you tell the FCA case officer "here is a live system on named vendors with audit logs" — a far stronger position than "we will build it after approval".
Next steps
- UK financial regulation guide — UK regulatory architecture.
- UK MLR 2017 explained — AML obligations.
- FCA cryptoasset registration guide — crypto registration comparison.
- EMD2 e-money directive explained — EU equivalent.
- UK Travel Rule and JMLSG guidance — if you also handle crypto.