Main | Blog | Governance Structure for an EMI
Apr 21, 2026

Governance Structure for an EMI

Fintech
Governance structure for an EMI — illustration of board oversight, internal controls, risk management, and regulatory governance for an electronic money institution

When founders prepare an EMI licence application, they often focus first on capital, safeguarding, AML documents, and the business plan. All of those matter. But one area regularly decides whether an application looks credible or fragile: the governance structure for an EMI.

Regulators do not look at governance as a corporate formality. They look at it as proof that the institution can be directed, controlled, monitored, and corrected in a supervised environment. Under the Electronic Money Directive, the prudential regime for EMIs applies largely through the PSD2 authorisation framework, which means the governance standards expected from payment institutions also matter for electronic money institutions.

That point is often underestimated. A beautiful organigram is not enough. A regulator wants to understand who is actually in charge, who challenges decisions, who controls risk, who oversees outsourcing, who owns AML/CFT compliance, who manages incidents, and whether the EMI is genuinely run from the home Member State rather than from somewhere else in practice. The EBA’s 2025 follow-up peer review made clear that governance, internal controls, and local substance remain key areas where supervisory approaches still diverge across the EU, creating risks of regulatory arbitrage. 

So if you are designing a governance structure for an EMI, the right question is not “what looks acceptable in a pitch deck?” The right question is: what would satisfy a regulator that this institution can be managed in a sound and prudent way on day one and after authorisation?

Why governance matters so much in an EMI application

An EMI is not just a tech product with a licence attached. It is a supervised financial institution that handles customer funds, issuance and redemption logic, operational risk, financial crime risk, outsourcing dependencies, ICT risk, and potentially cross-border activity. That means regulators expect governance arrangements and internal control mechanisms that match the business model.

The EBA authorisation guidelines are explicit. An EMI applicant should provide a description of governance arrangements and internal control mechanisms, including risk mapping, periodic and permanent controls, accounting procedures, persons responsible for internal control functions, composition of the management body, oversight bodies or committees, monitoring of outsourced functions, monitoring of agents and branches, and group governance where relevant. 

This is why electronic money institution governance is not just about naming directors. It is about creating a working control architecture.

What regulators usually expect in an EMI governance structure

A real management body, not nominal directors

The first regulatory expectation is simple: the EMI must have a real management body with genuine authority and accountability.

Through the PSD2 framework applied to EMIs, the institution must identify directors and persons responsible for management and provide evidence that they are of good repute and possess appropriate knowledge and experience. The same framework also requires evidence that shareholders with qualifying holdings are suitable to ensure the sound and prudent management of the institution. 

In practice, regulators want to see more than impressive CVs. They want to understand whether the management body:

  • understands the EMI’s services and operational flows,
  • can oversee compliance and risk,
  • is able to challenge outsourced providers,
  • has enough time and capacity to perform its role,
  • is not merely decorative.

A weak board often reveals itself quickly. Titles look senior, but responsibilities are blurred. Decision-making lives outside the institution. Key people are borrowed from group companies without clear commitment. That kind of setup usually creates questions about effective management and local substance.

Clear allocation of responsibilities

A good governance structure for an EMI must show who owns which function.

Regulators generally expect clarity across at least these areas:

  • overall management and strategic direction,
  • risk oversight,
  • compliance,
  • AML/CFT control,
  • finance and accounting,
  • operations,
  • safeguarding oversight,
  • ICT and security oversight,
  • outsourcing oversight,
  • internal audit or equivalent independent review where proportionality requires it.

The EBA guidelines specifically require identification of the persons responsible for internal control functions, including periodic, permanent, and compliance control. They also require the applicant to describe the procedures used for regular and ongoing controls and the human resources allocated to them. 

That means a regulator should be able to see, without guesswork, how responsibility flows from the management body down into daily execution and back up into reporting and escalation.

Internal controls that exist beyond policy language

Many EMI applications contain internal control language that sounds good but says very little. Regulators are used to that. They want substance.

The EBA guidelines require a risk mapping, procedures to assess and prevent identified risks, accounting procedures, internal control responsibilities, and descriptions of how outsourcing, agents, and branches are monitored within the control framework. They also require procedures for incident handling, access restrictions for sensitive payment data, and business continuity arrangements. 

So EMI internal controls should usually include:

  • control ownership,
  • reporting lines,
  • review frequency,
  • escalation thresholds,
  • documented approvals,
  • evidence trails,
  • board or committee reporting,
  • remediation tracking.

If the control environment exists only in the compliance manual but not in management information, reporting packs, or operational workflows, regulators will usually notice.

Proportionate three-lines-of-defence logic

Not every EMI needs a huge institutional structure on day one. Regulators understand proportionality. But proportionality does not mean absence of structure.

The EBA’s 2025 follow-up peer review noted that almost all supervisors reported applying the three-lines-of-defence model to applicant payment institutions and electronic money institutions in a proportionate way, while significant differences still remain in how governance and internal control requirements are formalised and implemented across jurisdictions.

For a smaller EMI, that often means:

  • first line: business and operations owning day-to-day risks,
  • second line: compliance and risk oversight,
  • third line: independent assurance, often internal audit or a functionally independent review mechanism, depending on scale and complexity.

The key is not copying a bank’s governance chart. The key is showing credible independence, oversight, and challenge in proportion to the business.

Outsourcing oversight is a governance issue, not only an operations issue

A large number of EMI business models rely on outsourcing: core platforms, KYC tooling, transaction monitoring, card processing, cloud infrastructure, customer support, accounting support, or programme-management arrangements.

Regulators do not expect outsourcing to eliminate accountability. They expect governance to remain inside the EMI. The EBA guidelines explicitly require a description of how outsourced functions are monitored and controlled so that the quality of internal controls is not impaired.

This is one of the most important regulator expectations for an EMI. If a founder says, “our provider handles that,” the next supervisory question is usually, “how do you oversee the provider?”

A credible answer normally includes:

  • service ownership inside the EMI,
  • approval and review of providers,
  • KPIs and SLAs,
  • incident reporting and escalation,
  • access control and audit rights,
  • contingency planning,
  • termination and transition logic,
  • board-level visibility over critical outsourcing.

AML/CFT responsibility must be anchored in governance

An EMI can have sophisticated onboarding tools and still fail governance review if AML ownership is vague.

The EBA’s follow-up peer review noted remaining gaps in some supervisors’ approaches, including the assessment of the person responsible for AML/CFT compliance and oversight of branches, agents, and distributors.

That means regulators want to see:

  • a clearly designated AML/CFT responsible person,
  • reporting lines into senior management,
  • independence from commercial pressure,
  • oversight of outsourced AML components,
  • monitoring of agents, distributors, and branches where relevant,
  • regular reporting into management and governance bodies.

In practice, EMI governance requirements often fail here not because there is no AML policy, but because no one can clearly explain who owns AML decisions, who approves risk appetite, who receives MI, and who escalates breaches.

Local substance and effective management

One of the most sensitive areas in EMI licensing is local substance.

Recent EBA supervisory work shows that all competent authorities in the 2025 follow-up review reported verifying effective management and control from the home Member State at authorisation stage, but expectations still diverge regarding how applicants should demonstrate it.

This matters a lot for firms that try to run the institution from another country while treating the licensed entity as a shell. Regulators increasingly test whether:

  • key decisions are made in the home Member State,
  • senior management is genuinely engaged,
  • records and governance evidence are available locally,
  • outsourcing does not hollow out the institution,
  • the EMI has enough in-house substance to control its regulated activities.

For the Czech Republic, that point should be taken seriously from the start. The CNB’s EMI licensing page makes clear that specimen forms and the content of annexes are formally prescribed, which means governance evidence should be prepared in a structured and reviewable way, not improvised late in the process. 

ICT governance is now part of the conversation

The old approach of treating ICT as a purely technical matter is no longer enough. DORA applies to electronic money institutions, and its governance logic is explicit: the management body bears the ultimate responsibility for managing the financial entity’s ICT risk. 

That means what regulators expect from an EMI now includes governance over:

  • ICT risk strategy,
  • security controls,
  • incident response,
  • resilience testing,
  • change management,
  • third-party ICT oversight,
  • role allocation for digital operational resilience.

So even if an EMI outsources large parts of its tech stack, the management body still needs meaningful oversight. A board that cannot explain critical ICT dependencies, incident escalation routes, and resilience controls will not look ready for a supervised market.

What a strong EMI governance model usually contains

A strong governance structure for an EMI usually contains the following building blocks:

Management body

A board or equivalent governing body with clear authority, meeting cadence, reserved matters, reporting routines, and documented oversight of regulated activity.

Senior management

Named individuals responsible for business execution, compliance, AML/CFT, finance, operations, safeguarding oversight, and ICT/security oversight.

Control framework

Clear first-line ownership, second-line challenge, and independent review or third-line assurance proportionate to size and complexity.

Committees or structured reporting forums

Not every EMI needs many committees, but decision-making forums for risk, compliance, incidents, outsourcing, and financial oversight often strengthen the model.

Outsourcing governance

A clear map of critical providers, internal owners, control procedures, and escalation routes.

Documentation and evidence

Policies matter, but board minutes, MI packs, risk registers, incident logs, approval records, and remediation tracking matter more in practice.

Common governance mistakes in EMI projects

The most frequent mistakes are surprisingly repetitive.

One is appointing impressive directors who are not operationally engaged. Another is merging compliance, risk, and business into one blurred function without real independence. A third is outsourcing core processes without retaining oversight capacity inside the EMI.

Another common mistake is treating local substance as a legal fiction. That can work in presentations, but it tends to fail under regulatory questioning.

And finally, many firms build a governance chart that ignores the real risk drivers of the business model. An EMI with outsourced onboarding, wallet infrastructure, and transaction monitoring should not have the same practical governance emphasis as a simple domestic payment processor.

How AMS helps structure EMI governance

At AMS Europe, we treat governance as one of the core licensing workstreams, not as a cosmetic annex.

That usually means helping clients map management responsibilities, define control functions, allocate ownership for AML/CFT and safeguarding oversight, align outsourcing oversight with actual operations, and prepare governance evidence that matches what the regulator will review in the file.

For Czech EMI projects, that also means designing the governance package in a way that fits the CNB application logic and the broader EU prudential expectations that apply to electronic money institutions through the PSD2 and EBA framework. 

AMS Europe helps founders and owners build governance models that stand up to regulatory scrutiny, not just internal presentations.

Planning an EMI licence or reviewing an existing structure?

TALK TO THE EXPERT

Final thoughts

A regulator does not expect every EMI to look like a major bank. But it does expect the institution to look governable.

That is the heart of the issue. A governance structure for an EMI should show that the institution can make decisions responsibly, control risks, supervise outsourcing, handle incidents, comply with AML/CFT obligations, and prove effective management from the home Member State.

If your governance model depends on informal arrangements, hidden decision-makers, or outsourced black boxes, it is probably too weak for licensing. If it clearly allocates responsibility, evidence, challenge, and oversight, it is already moving in the right direction.

FAQ

What do regulators actually expect from EMI governance?

Regulators expect a governance setup that works in practice, not just on paper. This means clear decision-making, defined responsibilities, real internal controls, and visible oversight across risk, compliance, and operations. The structure should show that the EMI can be properly managed from day one.

 

 

Do EMI directors need to meet specific regulatory standards?

Yes. Directors and senior managers must meet “fit and proper” requirements, meaning they need to have a good reputation, relevant experience, and the ability to manage a regulated financial institution. Shareholders with significant ownership are also assessed.

Does an EMI need a full three-lines-of-defence model?

In most cases, yes — but in a proportionate way. Regulators expect a clear separation between business operations, control functions, and independent oversight, even if the structure is simplified for smaller firms.

How important is role clarity in an EMI structure?

Very important. Regulators want to see exactly who is responsible for compliance, AML, risk, operations, and other key functions. If responsibilities are unclear or overlapping, it raises immediate concerns.

Can an EMI outsource key functions?

Yes, outsourcing is common — but it does not remove responsibility. The EMI must retain control, monitor providers, and be able to demonstrate how outsourced activities are supervised and managed internally.

What is the biggest governance mistake in EMI applications?

A common mistake is treating governance as a formality — appointing directors without real involvement, or creating structures that look good on paper but don’t reflect how the business actually operates.

How important is local substance for EMI governance?

It is critical. Regulators expect that key decisions and management activities are genuinely carried out in the home Member State, not elsewhere. Weak local presence is one of the most frequent reasons for additional scrutiny.

Does ICT regulation (like DORA) affect EMI governance?


Yes. Under DORA, the management body is ultimately responsible for ICT risk. This means governance now also includes oversight of technology, security, resilience, and third-party providers, even if systems are outsourced.

Related posts

Data Governance for EMIs
Fintech
Can a Startup Get an EMI License or Is It Only for Large Fintechs?
Fintech
EMI IT Stack Blueprint
Business Fintech
Building an EMI Business Plan That Regulators Take Seriously
Fintech
Preparing Fintech Companies for Tomorrow
Fintech
Change of Ownership of an EMI Company
Fintech
16–32 Week EMI Licensing Preparation Roadmap(2026)
Fintech
EMI Licence in the Czech Republic: 2026 Guide
Business Fintech
3 Lines of Defence for EMIs: The Minimum That Works
Business Fintech
EMI Capital in Europe
Fintech