The 90-Day Pre-Application File Build for EMI and PI Licences

From "we want to apply" to "ready to submit" is a 90-day sprint with 13 weekly deliverables. Skip a deliverable and the supervisor's first-round questions stretch the post-submission window from 6 weeks to 9 months. This is the week-by-week build for an EMI licence or PI authorisation in the EEA.

The 90-day frame is not arbitrary. It is the shortest period in which a management body slate, a programme of operations, a risk register, an AML/CTF manual, a safeguarding architecture, an ICT and DORA mapping, an outsourcing register, and a board-approved document pack can be produced sequentially, with the right sign-off gates between phases.

The sprint we describe below is built around the regimes set by the EMD2 Directive 2009/110/EC and PSD2 Directive (EU) 2015/2366, and the EBA guidelines on outsourcing, ICT and security risk management, and suitability of the management body. It works for Bank of Lithuania, CySEC, MFSA, Central Bank of Ireland, and CSSF files alike.

Applicants who try to compress this into 30–45 days almost always submit a file that looks credible at the cover page and falls apart at Annex 4. The programme of operations is misaligned with the risk register, the AML manual cites controls the firm has not yet built, and the safeguarding letter references a bank that has not yet agreed terms.

Applicants who stretch beyond 120 days usually lose momentum. The management body slate shifts, the business model drifts, and the version of the file that finally submits no longer matches the version the board approved.

Ninety days is long enough to build evidence and short enough to keep the same team, the same product, and the same numbers from week 1 to week 13. It is also the shortest period in which a credible safeguarding bank will sign a mandate letter for a pre-licence entity.

The 13 deliverables fall into four phases, each with its own purpose and its own internal sign-off gate.

• Foundations (weeks 1–3) — capital, jurisdiction, management body. Nothing in the file is written until these three are locked.

• Documentation (weeks 4–7) — programme of operations, risk register, AML manual, safeguarding mandate. The four pillars the supervisor reads first.

• Drill (weeks 8–11) — ICT and DORA mapping, outsourcing register, first-round question simulation, board resolutions. Stress-test before the supervisor does it for you.

• Submission-Ready (weeks 12–13) — compilation, Bates-stamping, cover letter, submission window. Mechanical work, but the place where 1 in 4 files still slip a week.

Week 1 produces two artefacts: a decision memo and a capital confirmation. The decision memo states the licence class (EMI or PI), the target jurisdiction, the products in scope, and the volume forecast over 36 months. The capital confirmation evidences €350,000 of initial own funds for an EMI or €125,000 for a PI offering account services and money remittance, set under EMD2.¹^[1]

The capital must be unencumbered, cash, and source-traceable. The source of funds file for own funds is the single document most often under-prepared at week 1 and most often demanded by week 5 of supervisor review.

Owner: CFO and founder. Dependency: a board minute or equivalent shareholder resolution. Sign-off: board chair.

By the end of week 2 the applicant has had an informal pre-meeting with the chosen NCA. The Bank of Lithuania runs structured pre-application meetings on a published cycle; CySEC, MFSA, the Central Bank of Ireland, and CSSF do the same on request. The meeting is not optional in a 90-day sprint.

Bring the decision memo, a one-page funds-flow diagram, a list of the named individuals who will sit on the management body, and the safeguarding bank shortlist. Do not bring slides.

The output is a meeting note capturing the supervisor's stated concerns. Those concerns become the first-round question list you drill against in week 10. Skipping the pre-meeting means skipping the only chance to learn what the supervisor will ask before they ask it.

Week 3 closes the management body slate and files the fit-and-proper questionnaires under the EBA Guidelines on suitability of members of the management body.²^[2]

The supervisor expects a balance of payments experience, compliance leadership, risk management, and local jurisdictional presence. An all-founder, all-engineer board fails this test on the first read.

Each questionnaire needs a CV, a police certificate, a credit check, and a declaration of conflicts. Collecting these from non-EEA executives takes longer than founders expect. Start in week 1 even though the deliverable is due in week 3.

The programme of operations is the file's narrative spine. It maps the firm's products to the PSD2 Annex I payment services and explains the funds-flow end-to-end.³^[3]

Cover: customer onboarding, funds in / funds out, safeguarding flow, FX execution, card scheme participation (if any), reconciliation, and complaint handling. Each section names the systems and the human owner.

Draft v1 will be wrong. That is expected. The purpose of week 4 is to produce a draft the risk team can attack in week 5.

The risk register must do three things at once: enumerate inherent risks, attach controls, and quantify residual risk. The supervisor reads it side-by-side with the programme of operations and rejects any control that has no narrative counterpart.

Categories at minimum: ML/TF, fraud, sanctions, safeguarding, operational and ICT, outsourcing and concentration, liquidity, conduct, and reputational. Each row carries an inherent score, a control description, a residual score, and an owner.

Quantification is what separates a credible register from a checklist. Inherent and residual scores need a stated methodology — even a simple 5x5 impact-likelihood matrix is acceptable so long as the methodology is documented.

Week 6 produces the AML/CTF manual and confirms the MLRO appointment with the supervisor. The MLRO must be resident in the jurisdiction, separately fit-and-proper, and dedicated enough that the supervisor believes the role is not a name-plate.

The manual cross-references the risk register line-for-line. Every control claimed in the register has a procedure number in the manual. Every procedure in the manual maps to a control in the register. If the two documents do not match, the supervisor finds it.

Sections: customer onboarding and CDD, EDD triggers, PEP and sanctions screening, transaction monitoring, SAR escalation, record-keeping, training, and independent testing.

Week 7 produces a draft mandate letter from a credible safeguarding bank and a same-name account confirmation — the bank confirming that the safeguarding account will be opened in the licensed entity's name, segregated from operating funds, and labelled as customer-funds for insolvency purposes.

This is the single deliverable most likely to slip. A safeguarding bank's credit committee runs on its own cycle; mandate letters take 4–6 weeks from first contact. Bank outreach therefore starts in week 2, not week 7.

A file that submits without an in-principle mandate letter is a file that invites a first-round question on safeguarding architecture within two weeks of receipt.

Week 8 produces an ICT and security risk management mapping that aligns the firm's technology architecture to the EBA framework, and a DORA gap analysis that records which DORA articles already have evidence and which are on a 12-month remediation plan.⁴^[4]

Coverage: governance, information security, ICT operations, change management, incident management, BCP and DR, third-party ICT risk, and penetration testing.

Week 9 builds the outsourcing register under the EBA Guidelines on outsourcing arrangements.⁵^[5]

Each arrangement is classified critical or important or non-critical. Critical-or-important arrangements need a due-diligence file, a written contract that meets the EBA clauses, an exit plan, and a board notification record. Cloud infrastructure, KYC vendors, transaction monitoring, card processing, and outsourced compliance functions usually score critical.

Supervisors increasingly ask for an intra-group outsourcing section: services received from non-EEA group entities trigger their own substance and data-localisation tests.

Week 10 is the highest-leverage week in the sprint. The compliance team sits across the table from the founders and asks the 40 questions the supervisor is most likely to ask in their first-round letter.

Sources for the question list: the week 2 NCA pre-meeting note, the supervisor's published guidance, the most recent FCA EMI Approach Document (used as a quality benchmark even outside the UK), and the firm's own risk register hotspots.

The FCA's FG17/03 remains the most detailed published authorisation rubric in the EEA-equivalent universe and is read by EEA supervisors as the benchmark a credible file should clear.⁶^[6]

Any question the team cannot answer in 5 minutes with evidence pinned to the file goes onto a week 11 remediation list. This is the moment the file is genuinely stress-tested.

Week 11 produces the formal board approval pack. One resolution approves each of: the programme of operations, the risk register, the AML manual, the safeguarding architecture, the ICT and DORA mapping, the outsourcing register, and the appointment of the MLRO.

The resolutions matter for a procedural reason: supervisors read board minutes as evidence that the management body has applied its mind to the file. A board that approves seven documents in one minute on one day reads as ceremonial. A board that meets twice, asks recorded questions, and approves the file across two minuted sittings reads as functioning.

Week 12 compiles the pack. Every document is version-stamped, Bates-numbered, and indexed against the supervisor's authorisation checklist. Every cross-reference inside the documents is verified to land on a real page in a real annex.

The most common week-12 failure: the programme of operations references "Annex 7 — funds-flow diagram" but Annex 7 does not exist because a paralegal renumbered the annexes after the diagram was finalised.

Week 13 is the submission window. The cover letter is two pages: a one-paragraph summary, a list of the principal annexes, a list of any items submitted on a remediation timeline (e.g. DORA pen-test scheduled for month 7), and a named contact point for first-round questions.

Submission day is administrative. The file is the work of the previous 12 weeks. If week 13 contains substantive drafting, the sprint has failed.

Most files fail on the same patterns. The compensating moves below assume the slip is caught within the same phase — slips that survive into the next phase cost weeks, not days.

Files that double in elapsed time almost always share three patterns.

First: the safeguarding bank outreach starts after the programme of operations is drafted. The credit committee timeline then dominates the schedule. Start bank outreach in week 2.

Second: the MLRO is hired part-time, on consultancy terms, with no local residency. The supervisor sees through the arrangement and asks for a replacement before substantive review begins. A full-time, locally resident MLRO from week 1 is non-negotiable.

Third: the programme of operations and the risk register are drafted by different teams without a common source of truth for the product taxonomy. The two documents drift, the supervisor catches the drift in the first-round letter, and remediation costs 6–10 weeks.

Avoid the three patterns and a 90-day sprint stays at 90 days. Build the three patterns into the file and the post-submission window stretches from 6 weeks to 9 months.

Ninety days is the practical floor for a credible file when the founder team is committed full-time. Faster than 90 days produces a file that fails the first cross-reference check; longer than 120 days produces a file that no longer matches the team and product the board approved. The post-submission review window then runs 6–9 months in a clean jurisdiction.

Under EMD2, initial capital is €350,000. A PI offering account services or money remittance needs €125,000. Both must be unencumbered, cash, and source-traceable from week 1 of the sprint. Most supervisors expect ongoing own funds materially above the floor once volume forecasts are applied.

Only if the founder has a documented background in AML compliance, is resident in the jurisdiction, and is dedicated enough to the role that the supervisor does not read it as a name-plate. In practice the answer is almost always no — supervisors expect a separate, named, locally resident MLRO with prior payments or banking AML experience.

There is no statutory headcount, but supervisors expect a credible operating team at the point of authorisation. In practice a minimal EMI launches with 8–12 people: CEO, CFO, COO, MLRO, Head of Risk, Head of Compliance, Head of Technology, and a small operations and engineering team. PIs may launch leaner, but the four control functions (compliance, risk, MLRO, internal audit oversight) remain non-negotiable.

• The Anatomy of a Successful EMI Authorisation — the qualitative companion piece on what an approved file actually looks like.

• EMI Licence Application in Lithuania — jurisdiction deep-dive for the most active EEA NCA.

• EMI Licence Application in Cyprus — the CySEC route and how the 90-day sprint adapts to it.

• EMI Safeguarding Architecture — what the week-7 mandate letter actually has to evidence.

The 90-day sprint is not a planning artefact. It is the shortest period in which the four pillars — capital, governance, controls, and safeguarding — can be built once, signed off once, and submitted once. Files built this way move through first-round review in 6 weeks; files built any other way move through it in nine months.