Red Flags When Checking an Electronic Money Institution

An electronic money institution (EMI) claiming to operate across Europe must hold valid authorisation from a national competent authority (NCA). Before depositing funds or transacting, verify the institution's status against the European Banking Authority (EBA) EUCLID register and the relevant NCA's public register. A mismatch between marketing claims and official records is the strongest indicator of fraud or regulatory failure. This post identifies five concrete red flags that demand immediate verification stops.

TL;DR verification take

Licensed EMIs must appear on both their home-country NCA register and the EBA EUCLID register with matching authorisation dates, permission scope, and safeguarding status. If the institution's website claims EU-wide passporting but the register shows no passport notifications filed, or if the safeguarding certificate has expired, or if a regulator has issued a public warning, walk away. Cross-check the register entry against the marketing site in real time - discrepancies signal either deliberate deception or regulatory collapse.

Step-by-step verification process

1. Identify the institution's home NCA by visiting its website and locating the regulatory claim or licence number.
2. Navigate to the home NCA's public register (for example, Bank of Lithuania for Lithuanian EMIs, or Autorité de contrôle prudentiel et de résolution for French EMIs).
3. Search for the institution by name or licence number and record the authorisation date, permission category, and current status.
4. Cross-reference the same institution on the EBA EUCLID register at euclid.eba.europa.eu.
5. Compare both records for matching dates, scope, and any notes on passporting or safeguarding.
6. Check the institution's website for a published safeguarding statement and verify the certificate expiry date.
7. Search the NCA's enforcement or warning notices page for any public action against the institution.

Red flag 1: Register status mismatch with marketing site

An EMI's marketing material may claim "authorised and regulated in the European Union" or list a specific licence number. The official register entry must match this claim exactly - same legal name, same authorisation date, same permission type. If the website claims a licence number that does not appear on the NCA register, or if the register shows the institution as "revoked" or "suspended" while the website advertises active services, the institution is either operating illegally or has failed to update its records after enforcement action.

The Bank of Lithuania (LB) maintained 87 active EMI authorisations as of Q1 2025. Each carries a unique reference number. An institution claiming Lithuanian authorisation must appear in that list with current status. Absence or mismatch is grounds for immediate rejection.

Red flag 2: Expired or missing safeguarding statement

Electronic Money Directive 2 (EMD2, Directive 2009/110/EC) requires EMIs to publish a safeguarding statement describing how customer funds are protected - typically via segregated bank accounts, insurance, or reserve funds. This statement must include an expiry or review date. An expired safeguarding certificate signals that the EMI has not renewed its compliance proof, indicating either negligence or deliberate concealment of changed safeguarding arrangements.

Check the institution's website for a published safeguarding statement. If none exists, or if the document is dated more than 12 months ago without a renewal date, contact the NCA directly to confirm current status. Absence of a valid safeguarding statement is a material breach of EMD2 Article 7.

Red flag 3: Regulator notice or enforcement action

National competent authorities publish warnings and enforcement notices on their websites when an EMI violates regulatory requirements or poses a risk to consumers. The Financial Conduct Authority (FCA) maintains a "Warning list" of unauthorised firms. The European Securities and Markets Authority (ESMA) coordinates cross-border warnings. If the institution appears on any regulator's warning or enforcement list, it is either unlicensed, operating outside its permissions, or subject to active investigation.

Search the home NCA's website for "enforcement actions" or "warning notices." Also check the FCA's warning list and ESMA's list of unauthorised entities. A single mention is sufficient grounds to avoid the institution.

Red flag 4: Withdrawn passporting rights

Under PSD2 (Directive (EU) 2015/2366), an EMI authorised in one EU member state may passport its services to other member states by notifying its home NCA. The EBA EUCLID register records all active passport notifications. If an institution's marketing material claims to operate in five EU countries but EUCLID shows no passport notifications, the institution is either misrepresenting its scope or has withdrawn its notifications without updating its website.

Withdrawn passporting often signals financial distress, loss of compliance capability, or preparation for exit. Cross-check the passport notifications listed in EUCLID against the countries where the institution actively markets services. Mismatch indicates either false advertising or regulatory withdrawal.

Red flag 5: Recent change of permission or authorisation conditions

When an NCA modifies an EMI's permission - for example, removing the right to issue e-money or restricting the customer base - it publishes a notice. An EMI that recently lost a permission category but continues to advertise that service is operating outside its authorisation. Similarly, a very recent authorisation date (less than 6 months old) combined with aggressive marketing may indicate a startup that has not yet been stress-tested by regulators.

Review the NCA register entry for the most recent permission change date. If the register shows a permission was restricted or removed within the past 12 months, verify that the institution's current website no longer advertises that service. Recent permission changes warrant extra scrutiny of the institution's compliance track record and financial stability.

Verification checklist: red flags summary

| Red Flag | What to Check | Where | Action if Found | |----------|---------------|-------|------------------| | Register mismatch | Legal name, licence number, authorisation date match website | NCA register + EUCLID | Do not proceed | | Expired safeguarding | Certificate date within 12 months | Institution website + NCA | Request current proof or stop | | Regulator notice | Institution name on warning or enforcement list | NCA, FCA, ESMA websites | Do not proceed | | Withdrawn passporting | Passport notifications match claimed service countries | EUCLID register | Verify scope before transacting | | Recent permission change | Authorisation or permission modified in past 12 months | NCA register | Review compliance history |

What this article does not cover

This post focuses on authorisation and register status verification only. It does not assess an EMI's compliance with Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) obligations under the Fourth Anti-Money Laundering Directive (AMLD4) or Fifth Anti-Money Laundering Directive (AMLD5), nor does it evaluate safeguarding arrangements in detail beyond checking for an expired certificate. Crypto-asset activities are not covered - those fall under the Markets in Crypto-Assets Regulation (MiCAR), which is separate from EMD2 authorisation. This article also does not assess the quality of customer service, fees, technology, or user experience. Finally, it does not verify whether an EMI holds deposit insurance or is eligible for deposit-guarantee scheme (DGS) protection - that is a separate regulatory inquiry outside the scope of EMI authorisation status.

Frequently asked questions

Q: Can an EMI operate legally without appearing on the EBA EUCLID register?

No. All EMIs authorised in the EU must appear on EUCLID within 30 days of authorisation by their home NCA. If an institution claims to be an authorised EMI but does not appear on EUCLID, it is either unlicensed or operating under a different regulatory framework (such as payment institution status under PSD2), which is not the same as EMI status.

Q: What should I do if I find a register mismatch?

Contact the NCA directly with the institution's name and claimed licence number. Ask whether the institution holds current authorisation and what its exact permission scope is. Do not rely on the institution's own explanation. If the NCA confirms the institution is not authorised or is operating outside its permissions, report it to your local financial crime authority.

Q: How often are NCA registers updated?

Most NCAs update their registers within 1-2 business days of a permission change or enforcement action. The EBA EUCLID register is updated daily. However, some institutions may not immediately update their websites after a permission withdrawal. Always verify the register date is recent (no more than 7 days old) by checking the "last updated" timestamp on the NCA website.

Q: Is a recent authorisation date itself a red flag?

Not automatically. A new EMI may be legitimate. However, combine a very recent authorisation date (less than 3 months old) with aggressive marketing claims, minimal online presence, or difficulty locating regulatory information - then escalate scrutiny. New institutions should have transparent ownership, clear compliance policies, and auditable safeguarding arrangements.

Q: What if the institution's website is in a language I do not speak?

Use an automated translation tool to review the key claims: authorisation statement, licence number, safeguarding certificate, and contact details. Cross-check the licence number against the NCA register in the original language. If the translated website and register entry do not align, or if the institution refuses to provide documentation in English or your local language, treat it as a warning sign.

Primary sources

European Banking Authority (EBA) EUCLID register: euclid.eba.europa.eu. Electronic Money Directive 2 (EMD2): Directive 2009/110/EC. Payment Services Directive 2 (PSD2): Directive (EU) 2015/2366. Bank of Lithuania EMI register: www.lb.lt. Financial Conduct Authority (FCA) Financial Services Register and Warning List: register.fca.org.uk.