What Regulators Actually Expect From a Payment Institution
Founders often ask how to get a PI license as if the answer were a checklist of forms, signatures, and incorporation papers. In reality, a payment institution licence is not granted because a company completed a filing package. It is granted when the regulator is satisfied that the applicant can run a payment business in a controlled, lawful, and sustainable way. Across the EU, the licensing framework still sits on PSD2, while local authorisation is handled by the national competent authority. In the Czech Republic, that role belongs to the Czech National Bank, and the process is tied to the Payment System Act and implementing decrees.
That difference matters. A regulator does not assess a PI application as a startup story. It assesses it as a supervised financial-infrastructure project. So the central issue is not “how fast can we obtain a licence?” but rather “can we demonstrate that our business model, controls, funding, and governance are strong enough to operate under supervision?” The EBA’s PSD2 authorisation guidelines make that clear by requiring a programme of operations, business plan, governance framework, security arrangements, outsourcing information, and evidence supporting the full operational model.
First, be clear about what licence you actually need
A surprising number of payment projects start with the wrong regulatory assumption. They describe themselves as a wallet, a platform, a fintech app, or a payment solution, but those labels do not decide the licensing perimeter. What matters is the actual activity: who receives funds, who controls the payment flow, whether payment accounts are involved, whether payment instruments are issued, whether funds are held even temporarily, and what part of the chain is outsourced.
This point is critical because the licence category drives almost everything that follows: minimum capital, safeguarding method, AML setup, contractual structure, outsourcing analysis, and cross-border strategy. Under PSD2, the initial capital requirement for a payment institution depends on the services provided and is generally set at EUR 20,000, EUR 50,000, or EUR 125,000. That means scope errors at the beginning often create capital and compliance errors later in the application.
A PI licence is not just about entry capital
Many applicants focus on one number and assume that once the initial capital is deposited, the hardest part is done. That is not how supervisors view it. Initial capital is only the starting threshold. The authority also wants to understand whether the institution will remain financially sound after launch, after onboarding clients, after building compliance functions, after paying vendors, and after absorbing normal operational stress.
In Czech practice, the licensing route for payment institutions is tied to Act No. 370/2017 Coll. and the related decrees on applications and business conditions. The CNB’s own licensing materials also point applicants to the EBA authorisation guidelines, which means the review is not limited to formal corporate documents. It is a broader prudential and operational assessment.
A serious PI project therefore needs more than a minimum-capital figure on paper. It needs a credible funding story, realistic financial projections, transparent ownership, and management that is able to explain how the institution will remain adequately organised and capitalised once it starts processing payments.
Safeguarding is where many weak applications become obvious
If the business will receive or hold client funds, safeguarding cannot be treated as a legal appendix added near the end of the project. It is one of the core design questions of the licence.
Regulators want to see exactly how client money will be protected, where it will be placed, how quickly it will be segregated, how reconciliations will work, what happens when there is an operational discrepancy, and which people or systems control access. The EBA authorisation guidelines explicitly require applicants to describe their safeguarding arrangements and provide the supporting documentation relevant to the chosen model.
This is why banking access and safeguarding design should be developed in parallel. A payment institution cannot safely treat the safeguarding account as a detail to be solved after authorisation. If the future operating model depends on a bank relationship, reconciliation workflow, or external provider, the regulator will expect that logic to appear in the application file itself.
AML must be built around the payment flow, not copied from templates
Another major reason PI applications feel weak is that the AML section often looks detached from the product. It may include the right headings, but it does not reflect the real risks created by the actual service.
In the Czech Republic, payment institutions fall into the AML/CFT framework built around Act No. 253/2008 Coll., with implementing rules and supervisory expectations published by the CNB. That means the AML setup must do more than repeat generic obligations. It should show how customer due diligence, sanctions screening, transaction monitoring, escalation, internal reporting, recordkeeping, and suspicious-transaction handling connect to the real onboarding and transaction model of the applicant.
A remittance model, a merchant-acquiring model, and an account-based payment model do not carry the same risk profile. The same is true for B2B, B2C, high-risk merchants, cross-border corridors, and outsourced onboarding. Good applications recognise those differences early. Weak ones pretend one AML manual can explain everything.
Governance is not a formality; it is a credibility test
Regulators expect payment institutions to have people in charge who are actually capable of running a supervised business. This sounds obvious, but many files still fail to convince because the governance structure is too thin, too symbolic, or too dependent on external providers.
The EBA guidelines require detailed information on governance arrangements, internal control mechanisms, organisational structure, and security risk management. In practice, that means the authority wants to know who owns compliance, who owns risk, who approves outsourcing, how incidents are escalated, how conflicts are managed, and whether the management body has sufficient knowledge and availability for the institution’s business model.
This is one of the main dividing lines between a file that looks professional and one that looks improvised. A polished presentation deck may impress investors. It does not replace a coherent governance map.
Technology and operational resilience now sit much closer to the centre
Any modern discussion of how to get a PI license has to acknowledge that regulators no longer see technology as a background issue. For payment institutions, it is part of the licensing substance.
At EU level, DORA applies from 17 January 2025, and the CNB also lists it among the regulations relevant to the payments sector. That pushes ICT governance, incident handling, outsourcing control, access management, business continuity, and resilience much closer to the heart of regulatory assessment.
Even before DORA, the EBA authorisation guidelines already required a security policy and a risk assessment for the proposed payment services. In other words, applicants have long needed to explain how systems are secured, how incidents are detected, how logs are maintained, and how third-party dependencies are controlled. DORA only makes that expectation harder to ignore.
So if the institution will rely on external KYC providers, processors, cloud systems, ledger vendors, or compliance platforms, the application should show more than vendor names. It should show governance over those dependencies.
In the Czech Republic, the filing itself is structured and formal
Choosing the Czech Republic as the home jurisdiction means dealing with a regulator that expects the file to be complete, coherent, and properly submitted. The CNB states that applications under the Payment System Act are regulated by Decree No. 1/2022 Coll., alongside Decree No. 7/2018 Coll., and that applications are submitted electronically. The CNB’s licensing page also links applicants directly to the relevant legislative framework and EBA authorisation guidelines.
That makes the Czech route unsuitable for a “submit first, fix later” strategy. If the application pack is inconsistent, if the programme of operations does not match the contracts, if outsourcing is described vaguely, or if AML and safeguarding do not align with the transaction model, the weakness is easier to spot.
A strong Czech PI application typically works because every section tells the same story. The corporate structure, capital plan, safeguarding model, compliance framework, governance arrangement, and IT logic all point in the same direction.
The licence is not the finish line
One of the biggest mistakes in planning a PI project is treating authorisation as the last hard step. In reality, the licence is the point at which supervision begins.
The CNB makes clear that payment institutions remain subject to ongoing supervision and reporting obligations. That means the operating model described in the application must continue to work after authorisation, not only during the approval phase. Controls must be maintained, incidents must be handled properly, safeguarding must actually function, and internal governance must remain effective in day-to-day operations.
This is also why post-licence strategy matters during pre-licence planning. If the business intends to expand into other EU markets, passporting becomes relevant. If it plans to onboard higher-risk segments, AML and operational capacity become more important. If it wants to scale quickly, the financial model and control framework need room for growth from the outset.
What founders should really ask before starting
A better question than “how do we get a PI licence?” is this:
Can we explain, document, and defend the full operating logic of our payment business under regulatory scrutiny?
If the answer is not yet clear, the project usually needs more work on structure before it needs more work on forms.
A viable PI licensing strategy normally begins with scope analysis, then moves into capital planning, safeguarding architecture, AML design, governance setup, IT and outsourcing control, and only then into final assembly of the application pack. When this order is reversed, teams often spend money on documents that later have to be rewritten.
Conclusion
A PI licence is not awarded because a company wants to be in payments. It is awarded because the applicant proves it can act like a regulated payment institution from the moment the authorisation takes effect.
That proof is built from substance: clear scope, appropriate capital, credible safeguarding, product-based AML controls, real governance, defensible outsourcing, and resilient systems. In the Czech Republic, the process is formal enough to expose weak preparation and structured enough to reward a well-built file.
So, if you are working out how to get a PI license, the practical answer is simple: do not treat the application as paperwork. Treat it as the legal and operational blueprint of the institution you are asking the regulator to trust.
Launch Your PI Project
We help you prepare the capital, documents, and regulatory logic behind your PI application in line with ČNB expectations.
Book PI Strategy CallFAQ
What is a PI licence and what does it allow you to do?
A PI (Payment Institution) licence allows a company to provide regulated payment services under PSD2. Depending on the scope, this may include money transfers, payment processing, issuing payment instruments, or initiating payments. The licence is issued in one EU country but can be passported across the EU.
How much capital is required for a PI licence?
The minimum initial capital is typically EUR 20,000, EUR 50,000, or EUR 125,000, depending on the services. However, this is only a regulatory threshold. In practice, the required capital depends on the business model, costs, and operational risks.
Is depositing the minimum capital enough to get licensed?
No. Regulators assess the entire project — including business plan, governance, AML, safeguarding, and operational setup. Capital must be justified and aligned with the actual business model.
What is safeguarding and why does it matter?
Safeguarding refers to protecting client funds. Regulators expect clear arrangements on where funds are held, how they are segregated, and how discrepancies are handled. It is a core part of the licence, not a formality.
What are the AML requirements?
AML must reflect the actual risks of the business. This includes customer due diligence, transaction monitoring, and risk controls tailored to the specific product and transaction flows — not generic templates.
Can key functions be outsourced?
Yes, but responsibility remains with the licensed entity. Outsourcing must be properly structured, documented, and controlled, with clear oversight mechanisms in place.
What happens after the licence is granted?
The licence marks the start of ongoing supervision. The company must maintain capital, comply with reporting obligations, and ensure that all controls (AML, safeguarding, governance) function in practice.
How long does it take to obtain a PI licence?
Timelines vary, but preparation is the key factor. Well-structured applications move faster, while incomplete or inconsistent files often lead to delays and additional regulatory questions.
