EMI application checklist in the Czech Republic

Documents, evidence pack and typical mistakes by section

Why “a pile of PDFs” fails in Czechia

In the Czech Republic, the competent authority for EMI authorisation is the Czech National Bank (ČNB). Applications can be submitted only electronically (data box), and ČNB explicitly recommends using its published forms.

The fastest way to lose months is to submit policies that sound good but don’t prove anything. ČNB (and EU-level guidance) expects an evidence-backed, internally consistent operating model: product scope → processes → controls → IT/outsourcing → safeguarding → financials all matching up. The EBA authorisation guidelines are blunt: information should be true, complete, accurate, and up to date, with detail proportionate to the business.

Evidence pack: what it is, and how to structure it

Think of the evidence pack as a traceable dossier, not an appendix dump. Every claim in the application should map to an artefact you can show (policy, register, report, screenshot, contract clause, log extract, template, etc.).

Minimum structure (recommended)

• E00 – Evidence Index / Mapping Matrix
  Requirement → document ID → section reference → owner → version/date → “what it proves”
• Governance pack (org chart, role descriptions, RACI, internal control framework)
• Process pack (customer journey + SOPs for key flows, with outputs and controls)
• Safeguarding pack (method, accounts, reconciliations, escalation, reporting)
• AML/CFT pack (RBA, KYC/EDD, TM scenarios, case management, reporting)
• ICT & security pack (architecture, access control, logging, change mgmt, incidents, BCP/DR)
• Outsourcing pack (register, due diligence, contracts/SLA, audit rights, exit plan)
• Financial model pack (assumptions, P&L/BS/CF, capital/own funds, stress cases)
• Customer protection pack (T&Cs, fees, complaints, disclosures)
  

Section-by-section checklist: documents + typical mistakes

1) Cover letter + scope definition (what you’re actually applying for)

Include

• Clear scope: e-money issuance + any payment services (and where you’ll operate)
• High-level product list and launch phases (MVP vs. full scope)
• Cross-reference to the Evidence Index

Typical mistakes

• “We’ll do everything” scope with no sequencing
• Scope mismatch across cover letter, forms, process descriptions, and financial model

2) ČNB forms + application mechanics (don’t freestyle this)

Include

• ČNB application forms (incl. e-money institution application form templates)
• Where/how you submit: data box

Typical mistakes

• Missing fields, inconsistent identifiers, different versions of the same facts
• Attachments not clearly labelled, no mapping matrix, no “single source of truth”

3) Capital and own funds (it’s not a vibe, it’s EUR)

Include

• Capital evidence + source-of-funds narrative (and documents)
• Own funds approach and ongoing capital monitoring triggers
• Financial plan showing how you remain adequately capitalised

Key rule to remember

• Czech Payment System Act translation states: initial capital for an EMI must be at least EUR 350,000.

Typical mistakes

• No credible explanation of source of funds / ownership chain
• A loss-making plan with no capital top-up plan or governance triggers

4) Governance & internal control framework

Include

• Org chart (incl. key functions), role descriptions, decision rights
• RACI for onboarding, safeguarding, reconciliations, AML reporting, incident handling
• Internal control framework (1st line doing, 2nd line oversight, 3rd line assurance)

Typical mistakes

• “Paper” governance: titles exist, but time commitment/experience doesn’t match
• No separation of duties (same person owns product + controls + approvals)
• No evidence of operational control artefacts (registers, MI, reporting cadence)

5) Programme of operations (products, flows, and who does what)

Include

• Product descriptions: issuance/redemption, funding methods, limits, fees
• Customer journey maps (from onboarding to closure)
• Money and data flow diagrams (including providers and systems)

Typical mistakes

• Flows described without outputs and control points (“we monitor transactions” how?)
• Hidden dependencies (card processor/KYC provider/ledger) not reflected in outsourcing docs

6) Safeguarding (this is where weak files go to die)

Include

• Safeguarding method description and operational model
• Segregated account setup and governance
• Reconciliation process: frequency, tolerances, escalation, reporting trail
• Evidence: sample reconciliation reports, approval logs, exception tickets

Typical mistakes

• “We will safeguard” with no mechanism and no timetable
• Reconciliations missing (or undefined: who, how often, what evidence, what happens on breaks)
• Safeguarding doesn’t reconcile with accounting/ledger model and financial assumptions

7) AML/CFT (yes, it must be real, not translated boilerplate)

Include

• Risk assessment (customer/product/channel/geography) + controls (CDD/EDD)
• Transaction monitoring rules/scenarios and case workflow
• Reporting procedure for suspicious activity + training programme
• Evidence: sample alert disposition, case notes template, training logs

Reference point

• Czech AML framework is based on Act No. 253/2008 Coll. (English translations exist).

Typical mistakes

• Generic AML policy that doesn’t match your products/channels
• No RBA (or RBA not connected to actual monitoring rules and onboarding decisions)
• “We’ll buy a tool later” without interim procedures and accountability

8) ICT & security (show controls, don’t just describe them)

Include

• Architecture overview + data flows + key system inventory
• Access control (RBAC), logging, change management, incident response
• BCP/DR with test evidence and ownership

Typical mistakes

• No evidence: no ticketing workflow, no logs, no access review outputs
• Contractor access unmanaged; no audit trail; no change approvals
• BCP/DR exists but has never been tested (and no one owns it)

9) Outsourcing (your vendors become your risk)

Include

• Outsourcing register: what, why, criticality, risks, owners
• Due diligence pack (security, resilience, financial, sub-outsourcing)
• Contract clauses: audit rights, access to information/premises, KPIs/SLA, exit plan

EBA outsourcing guidance matters here

• The EBA outsourcing guidelines emphasise audit/inspection/access rights in outsourcing agreements, especially for critical/important functions.
  

Typical mistakes

• No audit rights, no sub-outsourcing controls, no exit plan
• Declaring a core dependency “non-critical” without a defensible assessment
• SLA exists, but no monitoring evidence or governance cadence

10) Financial model (3 years) + assumptions + stress cases

Include

• P&L, balance sheet, cash flow (preferably monthly for Year 1)
• Assumptions book (volumes, pricing, costs, staffing, compliance, vendor fees)
• Downside cases (volume drop, cost spikes, fraud/chargeback and ops impacts)
• Traceability: volumes → balances → revenue → costs → capital/own funds

Typical mistakes

• Financials that don’t match operational capacity (e.g., 10k customers with 1 FTE onboarding)
• Understated compliance/outsourcing/IT costs and unrealistic timelines to launch
• No link between safeguarding operations and balance sheet mechanics

11) Customer protection: T&Cs, fees, complaints, disclosures

Include

• Draft customer terms + fee schedule + disclosures (plain, consistent)
• Complaints process with SLAs, escalation, reporting

Typical mistakes

• “Marketing terms” that don’t match the operational reality or fees in the model
• Complaints handled via “email us” with no process, logs, or accountability

12) Final consistency checks (the boring part that saves you months)

Before submission, run a consistency sweep:

• Same product scope everywhere (forms, ops, AML, safeguarding, financials)
• Same roles/owners everywhere (RACI, policies, org chart, contracts)
• Same numbers everywhere (pricing, volumes, staffing, vendor fees)

EBA guidance again: the submission must be complete, accurate, and up to date.

The “most common ČNB rejection triggers” in one list

Internal inconsistency across sections (scope, roles, numbers)

Boilerplate policies with no Czech-operational reality

No evidence pack (no registers, samples, logs, reconciliations, approvals)

Safeguarding described, but not operationalised (no reconciliation mechanics)

Outsourcing without audit rights, governance, and exit planning

Financial model not tied to processes/resources (and no stress logic)

GET A ČNB-READY GAP CHECK AND A CLEAR FIX LIST

 

START EMI PRE-CHECK

ORDER

FAQ: EMI application (Czech Republic) checklist

What does ČNB usually mean by an “evidence pack”?

An evidence pack is your proof trail: not just policies, but artefacts that demonstrate you can operate and control the EMI in reality. Think: process outputs, registers, reconciliations, logs, approvals, reports, contracts, SLAs, training records, screenshots from systems, and a mapping table that shows where each item supports the application narrative. The EBA authorisation guidance stresses the submission must be complete, accurate, and verifiable, not marketing text.

Which section most often causes delays or “rounds” of follow-up questions?

Safeguarding, closely followed by outsourcing and financial model credibility. Safeguarding fails when it is described “conceptually” but not operationalised: no reconciliation frequency, no exception handling, no approval trail, no clear linkage to ledger/accounting and to the balance sheet mechanics.

Do we need to have vendors (KYC, ledger, card processor) contracted before submitting?

If a vendor is critical to delivering the proposed service, you need to show ČNB you can govern it: due diligence, contractual control (audit/access rights where relevant), SLAs, monitoring, and an exit plan. At minimum, your outsourcing approach must be coherent and defensible under EU supervisory expectations on outsourcing, especially for critical/important functions.

We don’t have internal audit. Is that critical?

Not critical if you honestly cover the 3rd line with an alternative: an external audit/independent review on a plan, or a board-level review with a formal report and follow-up. What is critical is “audit” done by the same person who wrote the policy and then praised themselves.

How often do we need the 3rd line in a minimal version?

For most early-stage EMI startups: 1–2 themed reviews per year (AML/KYC, alerts/monitoring, outsourcing, incidents), plus follow-up on critical findings. Better small and regular than “once every three years, but 80 pages”.

Which KRIs make 3LoD real rather than ceremonial?

Minimum set: alert backlog (total + overdue), average response time for alerts/incidents, share of high-risk customers and EDD completion, complaint trends (top 3 reasons), incidents at critical vendors and SLA performance.

What is the minimum initial capital for an EMI in Czechia?

The Czech Payment System Act translation states the initial capital for an electronic money institution must be at least EUR 350,000.

What’s the fastest way to make an AML/CFT section look weak?

Four evergreen topics: onboarding (KYC/EDD) and decision quality, transaction monitoring/alerts closure discipline, outsourcing/vendor oversight, incidents & complaints (response and learnings).

More questions