Your fintech firm, embedded payments platform or payment service provider (PSP) needs regulatory authorisation if you process payments on behalf of others. The FCA authorises payment institutions under the Payment Services Regulations 2017 (SI 2017/752) and the Electronic Money Regulations 2011 (SI 2011/99). The regulatory path you follow depends on your transaction volumes, the breadth of services you offer, and whether you hold customer funds. This guide walks through the three authorisation routes: authorised payment institution (API), small payment institution (SPI), and electronic money institution (EMI), together with their capital requirements, application timelines, ongoing compliance obligations and the practical triggers that determine which status your firm needs.

What counts as a regulated payment service under Schedule 1 PSRs 2017?

Your business needs FCA authorisation if you carry out any activity listed in Part 1 of Schedule 1 to the Payment Services Regulations 2017 as a regular occupation or business. These regulated services comprise: accepting payments and managing payment accounts; executing payment transactions including direct debits and card payments; issuing payment instruments such as prepaid cards; providing payment initiation services (PIS), which allow customers to initiate payments from their accounts at other providers; and providing account information services (AIS), which aggregate account data from multiple payment service providers. A payment transaction is an act initiated or carried out by a payer or a payee with a view to placing, transferring or withdrawing funds. Money remittance services, which facilitate transfers of funds without establishing a payment account, also require authorisation. Credit transfer services (including standing orders and BACS payments) are regulated, as are services that enable cash to be placed into or withdrawn from a payment account over the counter or via ATM.

Activities that fall outside the regulatory perimeter include cash-back services offered at the point of sale, direct cash payments between payer and payee without intermediation, payment transactions executed by commercial agents acting on behalf of a principal, and services provided by technical service providers who operate merchant acquiring infrastructure but do not themselves enter into the payment chain. The distinction is technical but material: if you touch funds or act as an intermediary in the payment chain, you likely need authorisation. If you merely provide technology or infrastructure support to others, you may fall outside the scope. The FCA’s Perimeter Guidance, Chapter 15, provides detailed case studies and the FCA’s own approach statement offers worked examples.

What is the difference between an Authorised Payment Institution and a Small Payment Institution?

The FCA recognises two categories of payment institution, each with distinct thresholds, capital requirements and permitted services. This is a critical operational distinction for early-stage fintechs and growth-stage payment platforms.

API authorisation under regulation 6 of the PSRs 2017 is a distinct statutory authorisation from Part 4A authorisation under FSMA 2000. APIs and EMIs are not FSMA-authorised persons, and FCA Handbook regimes that attach to Part 4A authorisation, including the Senior Managers and Certification Regime, do not apply. See our post on SM&CR reform and payment firms: scope before substance for the scope analysis.

An Authorised Payment Institution (API) may provide any payment service in Schedule 1 without transaction volume restrictions. An API can execute unlimited payment transactions, offer account opening and account management services, issue payment instruments, and provide PIS and AIS services to customers and third-party integrators. An API must hold minimum initial capital of £125,000 if it provides payment execution or merchant acquiring; £50,000 if it provides only payment initiation services; and £20,000 if it provides only money remittance. The actual capital requirement depends on the breadth of services offered. Additional capital may be required under regulation 21 of the PSRs 2017 if a firm’s risk profile or transaction volumes justify it. An API must comply with the conduct-of-business requirements in Parts 6 and 7 of the PSRs 2017 and the FCA’s Approach Document to Payment Services and Electronic Money, strong customer authentication and fraud prevention requirements under regulation 97 of the PSRs, the Consumer Duty (PRIN 2A), and the FCA’s safeguarding framework under Policy Statement PS25/12 effective 7 May 2026.

A Small Payment Institution (SPI) is a lighter-touch regime for firms with limited transaction volumes. An SPI may not exceed €3 million in average monthly payment transaction volume (calculated over the preceding 12 months). Once an SPI breaches this threshold, the firm has 30 days to apply for full API authorisation or cease regulated activity. An SPI must hold minimum initial capital of £20,000 regardless of the services it provides. Critically, under PERG 15.4, an SPI cannot provide account information services or payment initiation services; it is restricted to payment execution and money remittance. This is a major constraint for SPI platforms that aspire to offer open banking integrations. An SPI is exempt from most FCA Handbook conduct-of-business rules but must comply with transparency requirements, strong customer authentication, safeguarding and dispute resolution obligations. Because the SPI regime is so restricted, many fintechs choose to apply for API status directly despite the higher capital requirement and compliance burden.

The choice between SPI and API is therefore a core determinant of your business model. If you plan to offer PIS, AIS or merchant acquiring, you must apply for API status. If you are a money remittance specialist with predictable volumes below €3 million per month, SPI status may offer regulatory agility and lower compliance costs, but you will sacrifice the ability to offer account services or diversify your product range. The FCA’s view is set out in its approach statement on Payment Services and Electronic Money.

How does electronic money authorisation relate to payment institution status?

Your firm may need separate authorisation as an Electronic Money Institution (EMI) if it issues electronic money (e-money). E-money is monetary value stored electronically and redeemable for goods and services. E-money is created when a customer prepays a provider in exchange for the promise to transfer funds later. A debit card loaded with prepaid funds is e-money; a multi-currency wallet holding funds for future payment is e-money. In contrast, a payment institution that executes payments on instruction does not issue e-money; it merely moves funds that the customer already controls.

Under the Electronic Money Regulations 2011, an Authorised EMI must hold minimum initial capital of €350,000 (or 2 per cent of average e-money outstanding, whichever is higher). An EMI faces stricter safeguarding rules than a PI because it holds customer funds. An EMI must place customer funds in a segregated trust account or purchase insurance to protect customer balances in the event of insolvency. A Small EMI is available if the firm’s average outstanding e-money balance does not exceed €5 million and monthly transactions do not exceed €3 million. A Small EMI needs only £20,000 initial capital. However, once either threshold is exceeded, the firm must upgrade to full Authorised EMI status within 30 days. The FCA supervises both payment institutions and EMIs; many firms hold both authorisations because they both hold customer funds and execute payments (PI) and issue prepaid wallets (EMI). The regulatory requirements overlap but are distinct.

The key operational distinction is that an EMI must safeguard all customer funds held in accounts that constitute e-money, whereas a PI need only safeguard customer funds pending the execution of a specific payment transaction. If your business model involves issuing cards, wallets or accounts into which customers deposit funds for future use, you need EMI authorisation. If you merely execute payments on instruction using funds that the customer instructs you to move, you need PI authorisation. Many platforms require both.

What does the FCA application process look like and how long does it take?

An API application typically takes 6 to 12 months from submission to a final FCA determination. An SPI application takes 3 to 6 months. These timelines are aspirational; actual elapsed time depends on the completeness of your application, the number of information request rounds, and the current FCA workload. An incomplete or technically problematic submission will restart the clock and add months to your timeline. The FCA’s standard approach is to issue one major information request (sometimes called a “first round”) and then allow the applicant 20 working days to respond. If the FCA is not satisfied, a second round follows. Firms that engage specialist advisors and submit comprehensive, well-organised applications consistently report shorter timelines.

The FCA application requires a detailed business plan, governance and organisational structure, management and key personnel CVs with the FCA’s prescribed format, a financial forecast (typically three years), anti-money laundering and sanctions screening procedures, a detailed compliance manual, IT security and operational resilience policies, and evidence of the firm’s own funds position and shareholder identity. The FCA’s application guidance page provides the full checklist. The FCA will conduct a 30-day consultation with other financial supervisors including the PRA (Prudential Regulation Authority) and relevant overseas regulators if your firm is part of a wider group.

Application fees are substantial. For a Small PI, the fee is typically in the £280 to £7,000 range depending on the FCA’s fee categorisation; for an Authorised PI, fees range from £7,000 to £222,940 depending on firm size and complexity. These are one-time authorisation fees, separate from ongoing annual regulatory fees which are assessed based on the firm’s anticipated revenue from regulated activities. The FCA’s authorisation fees page sets out the current tariff. Budget for external legal and compliance advice in the region of £30,000 to £100,000 depending on the complexity of your business model.

What happens if you transition from SPI to API status or grow beyond thresholds?

Once an SPI’s average monthly transaction volume exceeds €3 million, the SPI has 30 days to notify the FCA and apply for API authorisation or cease regulated activity. The notification triggers a requirement to apply within the 30-day window or wind down the business. The FCA will treat the API application as urgent given the regulatory deadline, but the firm is operating in a precarious position during this transition. Similarly, if a Small EMI breaches either its €5 million balance threshold or €3 million monthly transaction threshold, it must upgrade to Authorised EMI status within 30 days. This creates operational urgency and cost if the upgrade is not anticipated in advance.

To avoid this cliff edge, firms should anticipate their growth trajectory and apply for the appropriate status before thresholds are reached. SPI firms planning meaningful growth should transition to API status 6 to 9 months before anticipated volume breaches, ensuring that API authorisation is in place well before the firm hits the ceiling. The FCA will also examine the firm’s track record as an SPI when assessing an API application; a clean compliance record accelerates the process.

What are the ongoing compliance and notification obligations once authorised?

Once authorised, a payment institution is subject to continuous compliance with the PSRs 2017 and the FCA Handbook. This includes capital adequacy calculations performed quarterly; submission of regulatory returns to the FCA; strong customer authentication (SCA) on all remote payment transactions unless an exemption applies under regulation 97; annual reporting of fraud losses and refund claims; complaints handling within the eight-week statutory timeline and referral to the Financial Ombudsman Service if a customer escalates; safeguarding customer funds in segregated trust accounts or insurance arrangements; and data protection compliance under UK GDPR and the Data Protection Act 2018.

Firms must also maintain professional indemnity insurance for PIS and AIS providers, and report on counterparty and concentration risk if the firm provides payment initiation or account information services. The FCA expects firms to assess and maintain operational resilience, including resilience to IT outages and cyber incidents. Large payment institutions are subject to the FCA’s operational resilience framework, which requires firms to identify critical functions and maintain detailed logs of service disruptions.

Changes in firm structure require notification. A change of control (typically defined as acquisition of more than 25 per cent of voting shares or appointment of new effective controllers) must be notified to the FCA in advance. The FCA will assess whether the new controllers meet the “fit and proper” test and may impose conditions. Similarly, material changes to a firm’s business model, payment corridors, or technology infrastructure should be reported as they may alter the firm’s compliance obligations or risk profile. An appointment of a new compliance officer or chief financial officer should trigger a notification. The FCA’s expectation, set out in Principle 11 of the FCA Handbook, is that firms disclose anything “the FCA would reasonably expect to notice” about the firm’s status, operations, or controllers.

What special rules apply to Temporary Permissions and passporting into Europe?

The Temporary Permissions Regime (TPR) was a transitional arrangement that allowed EEA-authorised payment institutions to continue serving UK customers after Brexit. The TPR ended on 31 December 2025. Any EEA payment institution that operated into the UK under the TPR is now required to hold full FCA authorisation as an API or SPI if it wishes to continue UK regulated business. The FCA published guidance on the end of TPR and firms affected should have begun applications by now.

A UK-authorised API may not passport into EEA member states. Passporting is no longer available post-Brexit. A UK PI seeking to provide services in Europe must either establish a regulated subsidiary in a target jurisdiction or rely on bilateral regulatory recognition arrangements. Several EEA member states have begun negotiating standalone cooperation agreements with the UK FCA, but these are firm and jurisdiction specific. There is no automatic EU passporting regime for UK firms. If you operate a platform serving European users, you should plan for a multi-jurisdictional authorisation strategy: UK API status for UK customers, and separate authorisations in the EEA jurisdictions in which you have material customer numbers or transaction volumes. The EU is currently consulting on PSD3 and a modernised Payment Services Regulation, which may alter these requirements in future, but current planning should assume no UK-EU mutual recognition.

What practical triggers indicate you need to apply for payment institution status?

Six scenarios commonly trigger FCA authorisation applications. First, you are a fintech firm launching a BaaS (Banking-as-a-Service) platform that holds customer funds or executes payments on their behalf. You need API status. Second, you operate an embedded finance platform that allows a merchant or third party to offer payments to their end customers. If you touch funds or are a party to the payment transaction, you need authorisation. Third, you provide payment initiation or account information services (open banking integrations). You must be authorised as an API; you cannot offer these services as an SPI or unlicensed firm. Fourth, you operate a money remittance service such as a cross-border transfer platform. You need either SPI status (if volumes are below €3 million per month) or API status (if higher). Fifth, you are a merchant acquiring service provider that accepts card payments on behalf of merchants. You need API authorisation. Sixth, you issue prepaid cards or digital wallets into which customers deposit funds. You likely need both PI and EMI authorisation because you both hold funds (EMI) and execute payments (PI).

The critical question is: “Do I touch customer funds or act as an intermediary in the payment chain?” If yes, apply for authorisation before you commence regulated activity. Operating without required authorisation exposes the firm to FCA enforcement action, penalties, and criminal prosecution of officers under regulation 123 of the PSRs 2017.

How do the new safeguarding rules effective May 2026 affect your operational model?

The FCA published Policy Statement PS25/12 in 2025, materially strengthening safeguarding requirements for payment institutions and EMIs effective 7 May 2026. The new rules require that customer funds held by a PI pending payment execution must be placed in a trust account or covered by insurance; the firm cannot use those funds for its own purposes. If a PI is in insolvency, customer funds in a trust account are protected from the firm’s creditors. For EMIs, safeguarding is even stricter: all e-money balances must be protected by either segregated trust account or insurance and are absolutely ring-fenced from the firm’s own capital. A PI or EMI cannot co-mingle customer funds with its own operating account.

These requirements have operational implications. You must establish a separate escrow or trust account held either directly in customer names or in the name of a third-party trustee, with clear contractual arrangements specifying that the funds are customer property. If you hold funds even briefly, this is mandatory. The new rules also require firms to publish a safeguarding policy describing how customer funds are protected, and to report quarterly to the FCA the total amounts of customer funds held and the arrangements protecting them. When designing your payments infrastructure and bank account arrangements, budget for legal costs associated with trust account establishment and consider whether your payment processor or bank can act as a custodian.

Authorisation route comparison

Feature	Authorised PI (API)	Small PI (SPI)	Authorised EMI	Small EMI
Transaction volume limit	Unlimited	€3m monthly average	Unlimited	€3m monthly, €5m balance
Services allowed	All Schedule 1 services	Payment execution, money remittance only (no PIS/AIS)	Issue e-money, payment execution	Issue e-money (capped volume)
Minimum capital	£20k–£125k (depends on services)	£20k	€350k or 2% outstanding balance	£20k
Application timeline	6–12 months	3–6 months	6–12 months	3–6 months
Application fee	£7k–£222k	£280–£7k	£7k–£222k	£280–£7k
FCA Handbook compliance	Full COBS and PRIN	Exempt from most COBS; must comply with transparency and SCA	Full COBS and PRIN	Limited; transparency and safeguarding only
Can offer PIS/AIS	Yes	No	Not primary function	No
Safeguarding obligation	Trust account or insurance (post-May 2026)	Trust account or insurance (post-May 2026)	Trust account or insurance (absolute priority)	Trust account or insurance (absolute priority)

Key regulatory references and FCA resources

The primary legislation governing payment institution authorisation is the Payment Services Regulations 2017. Key sections include regulation 5 (definition of authorised PI), regulation 13 (small PI definition and conditions), regulation 21 (initial capital), and regulation 97 (strong customer authentication). The Electronic Money Regulations 2011 govern EMI authorisation, with regulation 14 setting the minimum capital threshold and regulation 16 establishing small EMI conditions.

The FCA’s handbook guidance is published at PERG 15 (Perimeter Guidance for Payment Services), which clarifies which activities are in scope. The FCA’s Approach statement published in 2017 remains the authoritative statement of the FCA’s supervisory priorities for payment firms. The FCA’s application guidance for payment institutions is available at the FCA’s payment institution applicant page. Safeguarding requirements post-May 2026 are set out in Policy Statement PS25/12.

We advise payment firms on the full range of authorisation routes, help navigate the FCA application process, and advise on ongoing compliance obligations including the PSRs 2017, UK GDPR, and anti-money laundering. Our payments regulation pages cover the key topics. Contact our team if you need specialist guidance on authorisation strategy or application logistics.

Frequently asked questions about payments authorisation

Do I need FCA authorisation to provide payment services?

If you transmit customer funds, process payments on behalf of customers, or issue electronic money, you almost certainly need FCA authorisation unless you fall within a specific exemption. The Payment Services Regulations define regulated activities broadly. Even if you believe you operate outside the Regulations, if you handle customer funds or payment data, you should take specialist advice. Operating without required authorisation is a criminal offence under the Proceeds of Crime Act and attracts civil enforcement action by the FCA.

What is the difference between a payment institution and an electronic money institution?

A payment institution is authorised under the Payment Services Regulations to provide payment services (processing payments, operating accounts, issuing instruments). An EMI is authorised under the Electronic Money Regulations to issue electronic money, which is a prepaid monetary value stored electronically that can be spent with merchants. The choice depends on your business model. If you are building a prepaid wallet or stored value product, EMI regulation typically applies. If you are providing payment processing or account services, PI regulation applies. Some businesses need both authorisations.

How long does the FCA authorisation process take?

The FCA must determine a complete application within three months under regulation 10 of the PSRs 2017. In practice, most applications face information requests that pause the clock whilst you provide additional material. Well-prepared applications with clear documentation can reach decision in 6 to 9 months. Poor quality applications can take 18 months or longer, or be withdrawn and resubmitted. The quality of your application is the dominant factor in timescale.

Can I operate as a small payment institution to avoid full authorisation?

Small payment institution registration is available under the Payment Services Regulations if your average monthly payment transactions over the preceding 12 months do not exceed EUR 3 million. SPI registration is a lighter-touch regime with fewer regulatory requirements. However, you must notify the FCA before commencing business, you still have compliance obligations (safeguarding, complaints, anti-money laundering), and if you exceed the threshold you must apply for full PI authorisation. SPI is suitable only for very small, low-risk operations.

How does PS25/12 affect safeguarding for authorised firms?

PS25/12 specifies operational rules for complying with the existing statutory safeguarding obligations under the PSRs 2017 and EMRs 2011, taking effect on 7 May 2026. Firms must segregate customer funds in designated bank accounts or with a custodian, monitor segregation daily, and reconcile holdings regularly. New applicants must demonstrate readiness to meet these standards as part of their authorisation application. Existing firms must comply by the deadline or vary their permissions accordingly. The requirements have material implications for your banking relationships and operational systems.

Why do so many FCA applications fail?

The FCA rejects or requires withdrawal of a substantial proportion of payment services applications. Common reasons include generic policies that regurgitate regulatory text without explaining how the applicant will comply, business plans that lack clarity on regulatory boundaries, senior management with insufficient experience or undisclosed history, risk assessments focused on business risk rather than customer risk, and inability to answer FCA follow-up questions clearly. The FCA has published video guides to help applicants improve quality. The best protection is specialist advice at application design stage.

Should I apply for authorisation or registration?

The choice depends on the size and risk profile of your business. Small Payment Institution registration is available if your annual payment transactions are under EUR 3 million and you meet certain conditions. For larger operations or higher-risk activities, you will need full PI or EMI authorisation. You cannot choose registration simply to avoid authorisation: the Regulations determine which regime applies. Take specialist advice to determine which regime fits your business model.

When should I engage a specialist payments lawyer?

Engage early: ideally before you have locked in a business model or committed capital to product development. A specialist lawyer can help you navigate regulatory perimeter questions at the design stage, saving costly remodelling later. For applications, instruct well before your anticipated submission date. If you are already operating and think you may need authorisation, seek advice immediately to understand your regulatory exposure. The cost of early advice is almost always lower than the cost of late intervention.

Related payments regulation pages

See also our other payments regulation pages:

• Payments Regulation
• Open Banking and Variable Recurring Payments
• PSR and Scheme Governance
• Operational Resilience and DORA
• Safeguarding and Consumer Duty
• E-Money Regulation and EMI Compliance

Related payments regulation pages

See also our other payments regulation pages:

• Open Banking and Variable Recurring Payments
• PSR and Scheme Governance
• Safeguarding and Consumer Duty
• E-Money Regulation and EMI Compliance
• Operational Resilience and DORA
• FCA Investigations and Enforcement

Related insight

The hidden architecture of UK open banking: the directory entry that follows FCA authorisation is what makes an AISP or PISP licence operational across the ecosystem.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology