--- title: The 90-Day Pre-Application File Build for EMI and PI Licences slug: 90-day-pre-application-emi-pi-build publishedAt: 2026-05-25T16:30:00Z author: Finconduit Editorial Team tags: EMD2, PSD2, DORA, AML canonicalUrl: https://finconduit.com/resources/90-day-pre-application-emi-pi-build --- # The 90-Day Pre-Application File Build for EMI and PI Licences Thirteen weekly deliverables across four phases that move an EMI or PI applicant from intent to submission-ready in 90 days. From "we want to apply" to "ready to submit" is a **90\-day sprint** with **13 weekly deliverables**. Skip a deliverable and the supervisor's first\-round questions stretch the post\-submission window from **6 weeks to 9 months**. This is the week\-by\-week build for an **EMI licence** or **PI authorisation** in the EEA. The 90\-day frame is not arbitrary. It is the shortest period in which a **management body slate**, a **programme of operations**, a **risk register**, an **AML/CTF manual**, a **safeguarding architecture**, an **ICT and DORA mapping**, an **outsourcing register**, and a **board\-approved document pack** can be produced sequentially, with the right **sign\-off gates** between phases. The sprint we describe below is built around the regimes set by the **EMD2 Directive 2009/110/EC** and **PSD2 Directive \(EU\) 2015/2366**, and the EBA guidelines on **outsourcing**, **ICT and security risk management**, and **suitability of the management body**. It works for **Bank of Lithuania**, **CySEC**, **MFSA**, **Central Bank of Ireland**, and **CSSF** files alike. ## Why 90 Days \(and Not Longer or Shorter\) Applicants who try to compress this into **30–45 days** almost always submit a file that looks credible at the cover page and falls apart at Annex 4. The **programme of operations** is misaligned with the **risk register**, the **AML manual** cites controls the firm has not yet built, and the **safeguarding letter** references a bank that has not yet agreed terms. Applicants who stretch beyond **120 days** usually lose momentum. The management body slate shifts, the business model drifts, and the version of the file that finally submits no longer matches the version the board approved. Ninety days is long enough to build evidence and short enough to keep the same team, the same product, and the same numbers from week 1 to week 13. It is also the shortest period in which a credible **safeguarding bank** will sign a mandate letter for a pre\-licence entity. ## The Four Phases — Overview The 13 deliverables fall into **four phases**, each with its own purpose and its own internal sign\-off gate. - **Foundations \(weeks 1–3\)** — capital, jurisdiction, management body. Nothing in the file is written until these three are locked. - **Documentation \(weeks 4–7\)** — programme of operations, risk register, AML manual, safeguarding mandate. The four pillars the supervisor reads first. - **Drill \(weeks 8–11\)** — ICT and DORA mapping, outsourcing register, first\-round question simulation, board resolutions. Stress\-test before the supervisor does it for you. - **Submission\-Ready \(weeks 12–13\)** — compilation, Bates\-stamping, cover letter, submission window. Mechanical work, but the place where 1 in 4 files still slip a week. ## Week 1 — Decision Memo \+ Capital Confirmation Week 1 produces two artefacts: a **decision memo** and a **capital confirmation**. The decision memo states the licence class \(EMI or PI\), the target jurisdiction, the products in scope, and the volume forecast over 36 months. The capital confirmation evidences **€350,000** of initial own funds for an EMI or **€125,000** for a PI offering account services and money remittance, set under [EMD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0110).¹[^1] The capital must be **unencumbered, cash, and source\-traceable**. The **source of funds** file for own funds is the single document most often under\-prepared at week 1 and most often demanded by week 5 of supervisor review. Owner: **CFO and founder**. Dependency: a board minute or equivalent shareholder resolution. Sign\-off: board chair. ## Week 2 — Jurisdiction & NCA Pre\-Engagement By the end of week 2 the applicant has had an **informal pre\-meeting** with the chosen **NCA**. The Bank of Lithuania runs structured pre\-application meetings on a published cycle; CySEC, MFSA, the Central Bank of Ireland, and CSSF do the same on request. The meeting is not optional in a 90\-day sprint. Bring the **decision memo**, a **one\-page funds\-flow diagram**, a list of the **named individuals** who will sit on the management body, and the **safeguarding bank** shortlist. Do not bring slides. The output is a **meeting note** capturing the supervisor's stated concerns. Those concerns become the **first\-round question list** you drill against in week 10. Skipping the pre\-meeting means skipping the only chance to learn what the supervisor will ask before they ask it. ## Week 3 — Management Body Slate \+ Fit\-and\-Proper Submissions Week 3 closes the **management body slate** and files the **fit\-and\-proper questionnaires** under the [EBA Guidelines on suitability of members of the management body](https://www.eba.europa.eu/regulation-and-policy/internal-governance).²[^2] The supervisor expects a balance of **payments experience**, **compliance leadership**, **risk management**, and **local jurisdictional presence**. An all\-founder, all\-engineer board fails this test on the first read. Each questionnaire needs a **CV**, a **police certificate**, a **credit check**, and a **declaration of conflicts**. Collecting these from non\-EEA executives takes longer than founders expect. Start in week 1 even though the deliverable is due in week 3. > **Tip:** Phase 1 sign\-off gate \(end of week 3\): board chair, founder, and prospective MLRO co\-sign a one\-page declaration that capital, jurisdiction, and management body are locked. Phase 2 documentation work does not begin until that signature exists. ## Week 4 — Programme of Operations Draft v1 The **programme of operations** is the file's narrative spine. It maps the firm's products to the [PSD2 Annex I payment services](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366) and explains the funds\-flow end\-to\-end.³[^3] Cover: **customer onboarding**, **funds in / funds out**, **safeguarding flow**, **FX execution**, **card scheme participation** \(if any\), **reconciliation**, and **complaint handling**. Each section names the systems and the human owner. Draft v1 will be wrong. That is expected. The purpose of week 4 is to produce a draft the risk team can attack in week 5. ## Week 5 — Risk Register \+ Quantified Controls The **risk register** must do three things at once: enumerate inherent risks, attach controls, and quantify residual risk. The supervisor reads it side\-by\-side with the programme of operations and rejects any control that has no narrative counterpart. Categories at minimum: **ML/TF**, **fraud**, **sanctions**, **safeguarding**, **operational and ICT**, **outsourcing and concentration**, **liquidity**, **conduct**, and **reputational**. Each row carries an inherent score, a control description, a residual score, and an owner. Quantification is what separates a credible register from a checklist. Inherent and residual scores need a stated methodology — even a simple **5x5 impact\-likelihood matrix** is acceptable so long as the methodology is documented. ## Week 6 — AML/CTF Manual \+ MLRO Appointment Week 6 produces the **AML/CTF manual** and confirms the **MLRO** appointment with the supervisor. The MLRO must be **resident in the jurisdiction**, separately fit\-and\-proper, and dedicated enough that the supervisor believes the role is not a name\-plate. The manual cross\-references the **risk register** line\-for\-line. Every control claimed in the register has a procedure number in the manual. Every procedure in the manual maps to a control in the register. If the two documents do not match, the supervisor finds it. Sections: **customer onboarding and CDD**, **EDD triggers**, **PEP and sanctions screening**, **transaction monitoring**, **SAR escalation**, **record\-keeping**, **training**, and **independent testing**. ## Week 7 — Safeguarding Bank Engagement Week 7 produces a **draft mandate letter** from a credible **safeguarding bank** and a **same\-name account confirmation** — the bank confirming that the safeguarding account will be opened in the licensed entity's name, segregated from operating funds, and labelled as customer\-funds for insolvency purposes. This is the single deliverable most likely to slip. A safeguarding bank's credit committee runs on its own cycle; mandate letters take **4–6 weeks** from first contact. Bank outreach therefore starts in week 2, not week 7. A file that submits without an in\-principle mandate letter is a file that invites a **first\-round question on safeguarding architecture** within two weeks of receipt. > **Warning:** Phase 2 sign\-off gate \(end of week 7\): programme of operations v1, risk register v1, AML manual v1, and safeguarding mandate letter circulated to the management body. No version increments outside scheduled review windows. ## Week 8 — ICT & DORA Mapping Week 8 produces an [ICT and security risk management](https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management) mapping that aligns the firm's technology architecture to the EBA framework, and a **DORA gap analysis** that records which DORA articles already have evidence and which are on a 12\-month remediation plan.⁴[^4] Coverage: **governance**, **information security**, **ICT operations**, **change management**, **incident management**, **BCP and DR**, **third\-party ICT risk**, and **penetration testing**. ## Week 9 — Outsourcing Register \+ Critical Functions Classification Week 9 builds the **outsourcing register** under the [EBA Guidelines on outsourcing arrangements](https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements).⁵[^5] Each arrangement is classified **critical or important** or **non\-critical**. Critical\-or\-important arrangements need a due\-diligence file, a written contract that meets the EBA clauses, an exit plan, and a board notification record. Cloud infrastructure, KYC vendors, transaction monitoring, card processing, and outsourced compliance functions usually score critical. Supervisors increasingly ask for an **intra\-group outsourcing** section: services received from non\-EEA group entities trigger their own substance and data\-localisation tests. ## Week 10 — Internal Drill: First\-Round Questions Simulation Week 10 is the highest\-leverage week in the sprint. The compliance team sits across the table from the founders and asks the **40 questions** the supervisor is most likely to ask in their first\-round letter. Sources for the question list: the week 2 **NCA pre\-meeting note**, the supervisor's published guidance, the most recent **FCA EMI Approach Document** \(used as a quality benchmark even outside the UK\), and the firm's own risk register hotspots. The [FCA's FG17/03](https://www.fca.org.uk/publication/finalised-guidance/fg17-03.pdf) remains the most detailed published authorisation rubric in the EEA\-equivalent universe and is read by EEA supervisors as the benchmark a credible file should clear.⁶[^6] Any question the team cannot answer in 5 minutes with evidence pinned to the file goes onto a **week 11 remediation list**. This is the moment the file is genuinely stress\-tested. ## Week 11 — Board Approvals \+ Resolutions Week 11 produces the formal **board approval pack**. One resolution approves each of: the programme of operations, the risk register, the AML manual, the safeguarding architecture, the ICT and DORA mapping, the outsourcing register, and the appointment of the MLRO. The resolutions matter for a procedural reason: supervisors read board minutes as evidence that the management body has applied its mind to the file. A board that approves seven documents in one minute on one day reads as ceremonial. A board that meets twice, asks recorded questions, and approves the file across two minuted sittings reads as **functioning**. ## Week 12 — Document Pack Compilation \+ Bates\-Stamping Week 12 compiles the pack. Every document is version\-stamped, **Bates\-numbered**, and indexed against the supervisor's authorisation checklist. Every cross\-reference inside the documents is verified to land on a real page in a real annex. The most common week\-12 failure: the programme of operations references "Annex 7 — funds\-flow diagram" but Annex 7 does not exist because a paralegal renumbered the annexes after the diagram was finalised. ## Week 13 — Submission Window \+ Cover Letter Week 13 is the submission window. The **cover letter** is two pages: a one\-paragraph summary, a list of the principal annexes, a list of any items submitted on a remediation timeline \(e.g. DORA pen\-test scheduled for month 7\), and a named contact point for first\-round questions. Submission day is administrative. The file is the work of the previous 12 weeks. If week 13 contains substantive drafting, the sprint has failed. *Table: The 13\-week sprint at a glance: deliverable, owner, dependency, and sign\-off.* | Week | Deliverable | Owner | Dependency | Sign\-off | | --- | --- | --- | --- | --- | | 1 | Decision memo \+ capital confirmation | CFO / founder | Shareholder resolution | Board chair | | 2 | NCA pre\-engagement meeting | Founder \+ counsel | Decision memo | Meeting note circulated | | 3 | Management body slate \+ F&P | Founder \+ HR | Background checks | Phase 1 gate | | 4 | Programme of operations v1 | COO | Decision memo | Compliance review | | 5 | Risk register \+ quantified controls | Risk lead | Programme v1 | CRO | | 6 | AML/CTF manual \+ MLRO appointment | MLRO | Risk register | MLRO \+ board | | 7 | Safeguarding mandate letter | CFO | Bank credit committee | Phase 2 gate | | 8 | ICT \+ DORA mapping | CTO \+ CISO | Architecture diagram | Risk and CTO | | 9 | Outsourcing register | COO \+ procurement | Vendor contracts | Risk and compliance | | 10 | First\-round Q drill | Compliance \+ founders | All v1 docs | Compliance head | | 11 | Board approvals \+ resolutions | Company secretary | Drill remediation list | Board chair | | 12 | Pack compilation \+ Bates\-stamping | Compliance ops | All approved docs | Compliance head | | 13 | Cover letter \+ submission | Counsel \+ CEO | Pack ready | CEO \+ Phase 4 gate | ## Common Failures by Phase \(and How the Next Phase Compensates\) Most files fail on the same patterns. The compensating moves below assume the slip is caught within the same phase — slips that survive into the next phase cost weeks, not days. *Table: Common failures by phase and the next\-phase compensation.* | Phase | Common failure | Cost if uncorrected | Same\-phase compensation | | --- | --- | --- | --- | | Foundations | Capital source not traced | Supervisor SoF letter, \+6 weeks | Auditor\-signed SoF memo in week 1 | | Foundations | All\-founder management body | Suitability questions, \+8 weeks | Recruit independent NED in week 2 | | Documentation | Programme vs risk register mismatch | Wholesale rewrite, \+6 weeks | Single source of truth for products | | Documentation | AML controls not built | SAR/CDD evidence demand, \+10 weeks | Build before manual, not after | | Drill | Outsourcing register thin | Critical\-function letter, \+6 weeks | Re\-classify cloud and KYC in week 9 | | Drill | DORA gaps unrecorded | Remediation order, \+12 weeks | Honest gap list with dates | | Submission\-Ready | Annex cross\-refs broken | Resubmission, \+2 weeks | Cold\-read the pack twice in week 12 | | Submission\-Ready | No safeguarding mandate | Conditional licence path, \+16 weeks | Letter from bank A; back\-up bank B | ## What Slips 90 Days into 180 Days Files that double in elapsed time almost always share three patterns. First: the **safeguarding bank** outreach starts after the programme of operations is drafted. The credit committee timeline then dominates the schedule. Start bank outreach in week 2. Second: the **MLRO** is hired part\-time, on consultancy terms, with no local residency. The supervisor sees through the arrangement and asks for a replacement before substantive review begins. A full\-time, locally resident MLRO from week 1 is non\-negotiable. Third: the **programme of operations** and the **risk register** are drafted by different teams without a common source of truth for the product taxonomy. The two documents drift, the supervisor catches the drift in the first\-round letter, and remediation costs **6–10 weeks**. Avoid the three patterns and a 90\-day sprint stays at 90 days. Build the three patterns into the file and the post\-submission window stretches from **6 weeks** to **9 months**. ## FAQ ### How long does it take to prepare an EMI licence application? Ninety days is the practical floor for a credible file when the founder team is committed full\-time. Faster than 90 days produces a file that fails the first cross\-reference check; longer than 120 days produces a file that no longer matches the team and product the board approved. The post\-submission review window then runs **6–9 months** in a clean jurisdiction. ### What's the minimum capital for an EMI? Under **EMD2**, initial capital is **€350,000**. A PI offering account services or money remittance needs **€125,000**. Both must be unencumbered, cash, and source\-traceable from week 1 of the sprint. Most supervisors expect ongoing own funds materially above the floor once volume forecasts are applied. ### Can a startup founder be the MLRO? Only if the founder has a documented background in **AML compliance**, is resident in the jurisdiction, and is dedicated enough to the role that the supervisor does not read it as a name\-plate. In practice the answer is almost always no — supervisors expect a separate, named, locally resident **MLRO** with prior payments or banking AML experience. ### How many staff do you need before applying? There is no statutory headcount, but supervisors expect a credible operating team at the point of authorisation. In practice a minimal EMI launches with **8–12 people**: CEO, CFO, COO, MLRO, Head of Risk, Head of Compliance, Head of Technology, and a small operations and engineering team. PIs may launch leaner, but the four control functions \(compliance, risk, MLRO, internal audit oversight\) remain non\-negotiable. > **Call to action:** Want the 90\-day sprint run by people who've shipped EMI files? Finconduit drives the week\-by\-week build and produces the submission\-ready pack. Book a free pre\-application diagnostic. ## Related Guides - [The Anatomy of a Successful EMI Authorisation](/resources/anatomy-successful-emi-authorisation) — the qualitative companion piece on what an approved file actually looks like. - [EMI Licence Application in Lithuania](/resources/emi-licence-lithuania) — jurisdiction deep\-dive for the most active EEA NCA. - [EMI Licence Application in Cyprus](/resources/emi-licence-cyprus) — the CySEC route and how the 90\-day sprint adapts to it. - [EMI Safeguarding Architecture](/resources/emi-safeguarding-architecture) — what the week\-7 mandate letter actually has to evidence. The 90\-day sprint is not a planning artefact. It is the shortest period in which the four pillars — **capital**, **governance**, **controls**, and **safeguarding** — can be built once, signed off once, and submitted once. Files built this way move through **first\-round review in 6 weeks**; files built any other way move through it in nine months. ## Footnotes [^1]: Directive 2009/110/EC of the European Parliament and of the Council on the taking up, pursuit and prudential supervision of the business of electronic money institutions \(EMD2\), Article 4. [^2]: EBA Guidelines on the assessment of the suitability of members of the management body and key function holders \(EBA/GL/2021/06\), revised joint ESMA\-EBA guidelines. [^3]: Directive \(EU\) 2015/2366 on payment services in the internal market \(PSD2\), Annex I — list of payment services. [^4]: EBA Guidelines on ICT and security risk management \(EBA/GL/2019/04\), final report published 28 November 2019. [^5]: EBA Guidelines on outsourcing arrangements \(EBA/GL/2019/02\), in force from 30 September 2019. [^6]: Financial Conduct Authority, FG17/03 — Authorisation and registration as a payment institution or electronic money institution, finalised guidance. --- Source: https://finconduit.com/resources/90-day-pre-application-emi-pi-build