Payment institutions
Payment institution license step by step
"We support you from defining the model to authorization: corporate structure, capital, internal control manual and programme of operations."
Fintech Regulation and Payment Licenses
Legal advice for fintech companies that need to operate with regulatory backing: payment institution or e-money licenses, authorization before the Bank of Spain, PSD2 compliance, open banking and DORA.
100% Free
Launching a fintech? Free legal assessment
Tell us your business model and we'll tell you which license you need (PI, EMI, PISP/AISP).
Services
Fintech regulation services
Six pillars to launch and run your fintech with a license, compliance and regulatory certainty.
PI License
Payment institution license
End-to-end processing before the Bank of Spain: programme of operations, corporate structure, minimum capital, internal control manual and funds safeguarding policies.
Learn more →
Bank of SpainCapitalSafeguardingInternal control
EMI License
E-money institution license
EMI authorization file: capital requirements, safeguarding regime, AML/CFT policies, DORA compliance and a governance structure tailored to the regulator.
Learn more →
EMIE-moneyDORAAML
PSD2
Ongoing PSD2 compliance
Strong customer authentication (SCA), incident management, reporting to the Bank of Spain and contracts with credit institutions.
Learn more →
SCAReporting
Open banking
PISP, AISP and open banking
Regulatory framing of payment initiation and account aggregation services: registration, technical requirements and agreements with banks.
Learn more →
PISPAISP
Compliance
End-to-end fintech compliance
AML/CFT, internal policies, control body, risk assessment and ongoing support during Bank of Spain inspections.
Learn more →
AMLInternal control
DORA
Digital operational resilience (DORA)
ICT risk management, business continuity policy, incident logging, assessment of critical providers and regulatory reporting.
Learn more →
ICT riskContinuity
Profiles
Regulation tailored to each fintech model
Payment institutions, EMIs, PISPs, AISPs or fintechs in launch phase: each model has different requirements, timelines and evidence before the Bank of Spain.
EMI / E-money
Authorization as an e-money institution
"We design the complete EMI license file: capital, funds safeguarding, AML policy, DORA and a governance structure suited to the regulator."
PSD2 / Open banking
PISP, AISP and open banking
"We structure the regulatory framing of payment initiation and account aggregation services: registration, technical requirements and contracts with banks."
Fintech compliance
Ongoing regulatory compliance
"We implement and maintain the compliance system: AML/CFT, DORA, internal policies, control body and support during inspections."
Consequences
Why act now on fintech regulation?
Operating without a license, breaching PSD2 or failing to adapt to DORA has direct regulatory consequences: cessation of activity, penalties and loss of partners.
Providing payment services without a license from the Bank of Spain is a very serious infringement: immediate shutdown and multimillion-euro penalties.
DORA has been mandatory since January 2025: financial entities and critical ICT providers must demonstrate operational resilience or face supervisory measures.
Banks and partners require an active license before integrating a fintech: without one, commercial agreements stall indefinitely.
PSD2 / Bank of Spain
Cessation of activity
Operating without a license: a very serious infringement with immediate cessation, heavy fines and personal liability of directors.
SCA / Incidents
Integrations blocked
Technical breach of PSD2 (SCA, incident management) has direct regulatory consequences and blocks integrations with banks.
Venture Capital
Faster round
Investors weigh regulatory status as an investment criterion: a pending or active license speeds up the round and improves valuation.
Want to launch your fintech with the right license?
We help you identify the right license, process the authorization before the Bank of Spain, implement PSD2/DORA compliance and operate with full regulatory certainty.
Frequently asked questions
Fintech regulation: common questions
What is a payment institution and when do I need a license?
A payment institution is a legal entity authorized to provide payment services on a professional basis: transfers, direct debits, card payments, remittances or payment initiation services.
If your fintech handles third-party funds or processes payments in the EU on a regular basis, you need a license from the Bank of Spain before operating.
What's the difference between a payment institution and e-money?
An e-money institution (EMI) can issue electronic money in addition to providing payment services. A payment institution (PI) only provides payment services.
If your model includes wallets, prepaid cards or balances stored on the client's behalf, you need an EMI license.
What does PSD2 require from fintechs?
PSD2 sets the regulatory framework for payment services in Europe:
- Strong customer authentication (SCA) for access and payments.
- Access to bank accounts through open APIs (open banking).
- Notification of operational and security incidents to the Bank of Spain.
- Contracts with credit institutions for access to payment systems.
- Transparency for users on terms and fees.
What is DORA and who does it affect?
The DORA Regulation (Digital Operational Resilience Act) has been mandatory since January 2025 for all regulated financial entities in the EU and their critical ICT providers.
It requires an ICT risk management framework, business continuity policy, incident logging and notification, resilience testing and oversight of external technology providers.
What are PISP and AISP in open banking?
They are two figures regulated under PSD2:
- PISP (Payment Initiation Service Provider): initiates payments from the client's bank account to a beneficiary, without going through a card.
- AISP (Account Information Service Provider): aggregates information from multiple bank accounts to provide a consolidated financial view.
Both require registration with the Bank of Spain and compliance with specific technical and contractual requirements.
How long does it take and what does a payment institution license cost?
The legal deadline is 3 months from a complete file, although in practice it can extend to between 6 and 12 months.
The minimum capital required ranges between €20,000 and €125,000 depending on the services to be provided. A well-prepared file significantly reduces timelines and additional requirements.
Can I operate while my license is being processed?
As a general rule, no. Providing payment services without prior authorization is a very serious infringement.
The usual alternative while your own license is processed is to operate under the umbrella of an already-authorized payment institution through an agent or regulated distribution agreement.
What are the advantages of your own license vs operating as an agent?
With your own license you control your operations, your relationship with the regulator, European expansion (passporting) and your valuation before investors. As an agent, you depend on the policies, timelines and decisions of the principal entity.
Your own license is a strategic asset: it improves your bargaining position with banks, partners and in investment rounds.
Operational guide
Practical fintech regulation guide
Getting a fintech license isn't just "filing paperwork": it's a process that requires a defined business model, a solid regulatory structure and a compliance programme that works from day one.
What fintech regulation aims for
To ensure that companies handling third-party funds, processing payments or issuing electronic money operate with adequate controls, user protection and ongoing supervision.
Minimum required controls
Funds safeguarding, strong customer authentication (SCA), incident management, ICT resilience (DORA), AML/CFT, reporting to the regulator and transparency for the user.
What makes the difference
A well-prepared file, policies applicable from day one, real internal governance and compliance evidence are what speed up the authorization and sustain operations.
Fintech authorization checklist in 8 steps
- Define the business model: payment services to be provided and regulatory figure (PI, EMI, PISP, AISP, agent).
- Incorporate the company and pay up the minimum capital according to the license type.
- Draft the programme of operations, internal control manual and funds safeguarding policies.
- Design the AML/CFT system: KYC, monitoring, reporting and internal control body.
- Prepare PSD2 compliance: SCA, incident management, contracts with credit institutions.
- Implement DORA: ICT risk management, business continuity policy, critical providers and resilience testing.
- Submit the file to the Bank of Spain and manage the review process.
- Operate with ongoing compliance: periodic audits, reporting and improvement of the system.
If you need a fintech license or regulatory compliance, check our fintech services or request a quote.
Fintech Playbook
Fintech regulation in practice
Authorization / Registration
Obtain a PI, EMI license or PISP/AISP registration before providing payment services.
Complete file, Bank of Spain decision, entry in the official register.
Funds safeguarding
Segregate and protect client funds under the applicable regime (PI or EMI).
Segregated account, insurance policy or bank guarantee, periodic reporting.
PSD2 / SCA
Strong authentication, incident management, transparency and access to bank APIs.
SCA policy, incident log, contracts with banks, reporting to the regulator.
DORA
Digital operational resilience: ICT risk management, continuity and critical providers.
ICT framework, continuity policy, incident log, provider assessment, testing.
AML/CFT + audit
KYC, monitoring, reporting and governance of the anti-money laundering system.
AML manual, KYC files, alerts, ICB minutes, periodic audits.
Typical risk signals in fintechs
Indicators that can lead to a blocked authorization or supervisory measures.
- Providing payment services without a prior license or registration with the Bank of Spain.
- Client funds not segregated or with no formalized safeguarding mechanism.
- Absence of an SCA policy or undocumented incident management.
- Critical ICT providers with no assessment or adequate contracts (DORA).
- A business model with no clear regulatory framing: operating "in the grey" delays everything.
Operational glossary
Key concepts in fintech regulation
If you're launching or scaling your fintech, these terms appear in files, audits and in your relationship with the Bank of Spain.
PILicense
Payment institution
Legal entity authorized to provide payment services: transfers, direct debits, card payments, remittances and payment initiation.
Minimum capital: €20,000 – €125,000 depending on services.
EMILicense
E-money institution
Can issue electronic money (monetary value stored digitally) in addition to providing payment services. Requires a license with higher capital requirements.
Minimum capital: €350,000.
PSD2EU Directive
Payment Services Directive 2
European regulatory framework for payment services: SCA, open banking, transparency, incident management and access to payment systems.
Key: SCA + APIs + reporting.
SCASecurity
Strong Customer Authentication
Strong customer authentication required by PSD2 for access and payments: at least two independent authentication factors.
Evidence: policy + technical implementation.
PISPOpen banking
Payment Initiation Service Provider
Provider that initiates payments from the client's bank account to a beneficiary, without going through a card. Requires registration with the Bank of Spain.
Useful for: direct payments, e-commerce, B2B.
AISPOpen banking
Account Information Service Provider
Provider that aggregates information from multiple bank accounts to offer the user a consolidated financial view.
Useful for: PFM, scoring, financial aggregation.
DORAResilience
Digital Operational Resilience Act
EU Regulation mandatory since 2025: ICT risk management, continuity, incidents, resilience testing and oversight of critical providers.
Applies to: PI, EMI, investment firms and ICT providers.
SafeguardingFunds
Protection of client funds
Obligation to segregate and protect funds received from clients via a segregated account, insurance policy or bank guarantee.
Evidence: account + contract + reporting.
PassportEU expansion
European passport
With a PI or EMI license in one Member State, the entity can operate across the EU by notifying the host regulator, without a new authorization.
Key: notification + local requirements.
📥 Free download
Fintech License Checklist in 8 steps
The operational guide we apply with our clients to prepare a solid file before the Bank of Spain: PI, EMI license or PISP/AISP registration with PSD2/DORA compliance from day one.
- 8 actionable steps (regulatory framing, capital, safeguarding, AML, PSD2, DORA…)
- Expected documentation and typical mistakes that delay authorization
- Tailored to PI, EMI, PISP, AISP, neobanks and hybrid entities