This guide explains the licensing options available in the UK and EEA, the compliance obligations that apply regardless of which route you take, and what is coming down the regulatory pipeline with PSD3 and the EU Anti-Money Laundering Regulation (AMLR).
Embedded finance has made it possible for virtually any business to offer its customers a payment card. Expense management platforms, HR software, fleet operators, and B2B marketplaces are all exploring card programmes as a way to deepen product stickiness and open new revenue lines. But there is a significant regulatory layer sitting between a product idea and a live card, and misunderstanding it is one of the most common reasons launches stall or fail.
Do you actually need a card issuing licence to launch a card programme?
The answer is: not always, but you need to operate under one. There are three main routes to market, and which one fits your business depends on whether you plan to hold customer funds, how quickly you need to launch, and how much control you want over the regulatory relationship.
- Get licensed yourself. You apply for either a Payment Institution (PI) or Electronic Money Institution (EMI) licence from your national regulator. You own the regulatory relationship, the compliance obligations, and the upside that comes with full control.
- Use a BIN sponsor or programme manager. You operate under the licence of a regulated principal member, who takes on the scheme compliance responsibilities. You manage the customer experience and programme controls, but you are not the regulated entity.
- Act as an agent of a regulated EMI. You distribute products under an EMI’s licence and registration. This is common for smaller-scale programmes where full authorisation is not yet warranted.
The BIN sponsorship route has become the default for non-financial businesses that want to add cards without building a compliance function from scratch. That said, growing businesses often hit ceiling effects with BIN sponsorship as transaction volumes rise and programme complexity increases, and many eventually pursue their own authorisation.
Further Reading: How to Launch a White-Label Payment Card Programme: The Complete 2026 Infrastructure Guide
What is the difference between a PI licence and an EMI licence?
These two licence types are the most relevant for embedded card issuers, and they are frequently confused.
A Payment Institution (PI) licence covers the execution of payment transactions, money remittance, and account information or payment initiation services. Critically, a PI cannot issue e-money or hold stored value on behalf of customers. If your card programme requires a balance that customers top up and spend from, a PI licence is not sufficient.
An Electronic Money Institution (EMI) licence allows you to issue e-money, maintain stored value, and issue prepaid or debit cards linked to that balance. This is the standard licence type for embedded card programmes. In the UK, the FCA authorises EMIs under two tiers: Small EMIs (for firms with average outstanding e-money below €5 million or monthly payment transactions below €3 million) and Authorised EMIs for everyone above those thresholds.
The capital requirements reflect that difference. An Authorised EMI requires a minimum of €350,000 in initial capital. A PI requires €125,000, and a Small PI can operate with €50,000. On top of initial capital, EMIs must also maintain ongoing own funds calculated as a percentage of outstanding e-money.
| PI | EMI | BIN Sponsorship | |
| Holds stored value? | No | Yes | Via sponsor |
| Issues prepaid/debit cards? | No | Yes | Yes (under sponsor) |
| Minimum capital | €125,000 | €350,000 | None required |
| Safeguarding required? | Yes | Yes | Sponsor’s obligation |
| Time to launch | 3 to 9 months | 6 to 12 months | Weeks to months |
| Own regulatory relationship? | Yes | Yes | No |
| Best for | Payments, payouts | Full card programmes | Fast-to-market, non-core |
Further Reading: The Complete Guide to Embedding Card Issuance in Your SaaS Platform
How do you get an EMI licence from the FCA in the UK?
The FCA is the primary regulator for payment and e-money firms in the UK. Applications are submitted through the FCA’s Connect portal, and the regulator acknowledges receipt within seven business days, though the decision timeline varies considerably depending on application quality and the FCA’s current caseload. Realistic timelines run from six to twelve months for authorised EMI applications.
The FCA expects a detailed business plan, evidence of robust AML and counter-terrorism financing controls, a description of your safeguarding arrangements, a clear IT and operational resilience framework, and confirmation that key personnel meet the fit and proper standard. Non-UK resident senior managers can complicate an application, so it is worth factoring in management residency from the outset.
The FCA also runs a Pre-Application Support Service (PASS) for complex or novel applications. Using it does not guarantee approval, but it helps identify structural issues before a formal submission and reduces the risk of an outright refusal.
How does EMI licensing work across the EEA, and where should you apply?
In the EEA, EMIs are regulated under the revised Electronic Money Directive (EMD2) and the Payment Services Directive 2 (PSD2). An EMI licensed in one EEA member state can passport its authorisation to other EEA states without a separate licence application in each country.
Lithuania’s Bank of Lithuania has attracted a significant share of fintech applicants over the past five years because of its relatively streamlined process, clear regulatory communication, and willingness to engage early-stage firms. Ireland’s Central Bank, Luxembourg’s CSSF, and the Netherlands’ DNB are also popular choices, particularly for firms with existing commercial presence in those markets.
One important point for firms targeting both markets: post-Brexit, UK and EEA licences are completely separate. A UK EMI licence gives you no passporting rights into the EU, and an EEA licence does not cover UK operations. If you need both, you need two authorisations, two compliance frameworks, and two regulatory relationships. Many fintechs establish separate legal entities in each jurisdiction to manage this cleanly.
Further Reading: How to Build an Embedded Card Program
What payment compliance obligations apply to all embedded card issuers?
Regardless of which licensing route you take, there is a set of compliance obligations that applies to anyone running a card programme. Sponsors carry many of these on your behalf, but if you are a licensed issuer, they sit squarely with you.
AML and KYC. Every customer must go through customer due diligence (CDD) at onboarding. For higher-risk customers, enhanced due diligence (EDD) applies, which includes verification of the source of funds and, for corporate customers, full beneficial ownership mapping. From 2025 onwards, regulators expect automated transaction monitoring systems capable of flagging suspicious activity and supporting Suspicious Activity Report (SAR) filings within five to ten business days of a concern arising.
Safeguarding. Customer funds must be held in segregated safeguarding accounts, entirely separate from the firm’s own operational capital. In practice this means a dedicated safeguarding account at an approved credit institution or invested in qualifying liquid assets, with daily reconciliation and clear audit trails.
PCI DSS. Any firm that stores, processes, or transmits cardholder data must comply with PCI DSS. For most card programme operators, Level 1 compliance is expected, which requires an annual audit by a Qualified Security Assessor (QSA).
Tokenisation. EU regulators now require all card-issuing firms to replace real card data with unique tokens. This is a mandatory technical standard from 2025, not a best-practice recommendation. Failure to implement it creates both a security exposure and a regulatory risk.
Strong Customer Authentication (SCA). Under PSD2, transactions above €30 require two-factor authentication. Your card programme’s technical architecture must support SCA flows, and exemptions must be managed carefully to avoid friction without creating liability.
What is BIN sponsorship, and when does it make sense?
BIN (Bank Identification Number) sponsorship is an arrangement where a regulated principal member of a card scheme, such as Mastercard or Visa, allows a non-member to issue cards under its programme. The sponsor holds the scheme membership and the regulatory licence; the programme manager (your business) manages the customer programme, controls spending limits, sets programme rules, and handles the customer-facing product.
The compliance responsibility is split, but not equally. The sponsor retains responsibility for scheme compliance and the AML obligations that sit under its licence. You retain responsibility for your own KYC processes, programme controls, and anything that affects the end customer. If your sponsor has a regulatory problem, your programme can be directly affected, as the collapse of Wirecard’s subsidiary in 2020 made painfully clear for hundreds of card programme operators overnight.
BIN sponsorship makes most sense when cards are not your core product, when you need to launch quickly, or when your transaction volumes do not yet justify the cost and operational overhead of full authorisation. As volumes grow and the compliance team matures, the economics of self-authorisation become more attractive.
What is changing with PSD3, AMLR, and the regulatory outlook to 2027?
The regulatory environment for card issuing is in active transition. Two major packages are working through the EU legislative process, and their implications for embedded card operators are significant.
- PSD3 and the Payment Services Regulation (PSR). Expected to apply from 2027, PSD3 will raise fraud prevention obligations, extend the regulatory perimeter to platforms that currently operate as unregulated intermediaries, and sharpen requirements around transparency and liability. Firms that have historically sat at the edge of the licensing threshold should assume they will be brought inside it.
- EU Anti-Money Laundering Regulation (AMLR). The AMLR, applying from 2027 alongside the new Anti-Money Laundering Authority (AMLA), will harmonise KYC and CDD standards across the EU, tighten beneficial ownership verification, and extend obligations to digital wallets and embedded payment gateways. Firms that currently rely on a light-touch onboarding process will need to rearchitect their KYC flows.
In the UK, the FCA is developing its own post-Brexit payments regulatory framework, which is expected to diverge in some areas from EU requirements, particularly around operational resilience and safeguarding. Monitoring both tracks simultaneously is now a practical necessity for any firm operating in both markets.
What do you need in place before launching an embedded card programme?
This checklist covers the points that most commonly cause delays or regulatory findings at launch.
- Decide whether you will seek your own licence (PI or EMI) or operate under a BIN sponsor
- Determine whether you need a UK licence, an EEA licence, or both
- Calculate whether your capital position meets the relevant minimum threshold
- Appoint a Money Laundering Reporting Officer (MLRO) with appropriate experience
- Establish safeguarding accounts at a regulated credit institution
- Build or procure an AML and KYC onboarding flow that meets CDD and EDD requirements
- Confirm your PCI DSS compliance status or engage a QSA
- Implement tokenisation infrastructure for card data
- Confirm BIN and ICA assignment via your card scheme or sponsor
- Set up automated transaction monitoring and a SAR workflow
- Test your SCA flows across the transaction value ranges your programme will generate
- Review your contracts with any programme manager or sponsor against post-Wirecard due diligence standards
Where to go from here
The regulatory path for embedded card issuing is navigable, but the decisions you make in the first few months, around which licence to pursue, which jurisdiction to register in, and whether to use a sponsor, have long-tail consequences for your cost base and your product roadmap. Getting those decisions right is worth the investment in proper legal and compliance advice before you commit.
The BIN sponsorship and White-Label solutions provided by Wallester offer a strategic alternative for businesses seeking to bypass the capital-intensive and protracted process of securing an independent EMI licence. Operating as a regulated European EMI and Visa Principal Member, Wallester assumes the primary regulatory burden – overseeing critical functions such as PCI-DSS Level 1 compliance, safeguarding, tokenisation, 3D Secure, and fraud monitoring. By leveraging a modern REST API, firms can deploy branded physical and virtual card programmes in a fraction of the time required to build a bespoke compliance framework from the ground up.
Accelerate time-to-market. Explore how Wallester’s regulatory infrastructure supports high-volume card issuance, so you can skip the in-house compliance build.
