Account Information Provider (API) License in Estonia
The Account Information Provider (AIP) licence in Estonia — also known as an Account Information Service Provider (AISP) authorisation — is issued by Finantsinspektsioon under the Payment Institutions and E-money Institutions Act, transposing PSD2 (Payment Services Directive 2) into Estonian law.
An AIP licence authorises firms to access bank account data held with payment service providers — with the account holder’s explicit consent — and provide consolidated financial data, spending analytics, personal finance management tools, and financial insight services. Crucially, an AIP does not process payments, move funds, or hold client money, which means it carries significantly lower prudential requirements than a full Payment Institution or EMI.
Key parameters: €50,000 minimum capital, a Finantsinspektsioon-licensed structure, local MLRO, and a fully documented AML/GDPR-compliant data governance framework. Operating within the EEA, an Estonian AISP can passport its services across all EU member states without separate local approvals. Estonia applies no corporate tax on retained profits — the 20% rate applies only on distributions.
This page covers Finantsinspektsioon-licensed Estonian AIP entities currently available for transfer, with a full breakdown of permitted activities, capital requirements, and post-acquisition GDPR and AML obligations.
Legasset provides full acquisition support — Finantsinspektsioon change-of-control notification, AML/GDPR documentation, and AISP passport notifications across the EEA.
Our Available Account Information Provider (API) Licenses for Sale
Estonian API License for Sale #1
- Member of Open Banking Europe
- Operates exclusively in Estonia (no EU passporting yet, but can be obtained with a valid business plan)
- Focused on B2C segment
- Over 4,000 registered retail users
Operations & Infrastructure:
- Own developed software
- Mobile apps available for both Android and iOS
- Currently in negotiations with two banks for white-label software integration
- Team of 5 employees
Banking & Safeguarding:
- 4 bank accounts
- Client funds safeguarded at LHV
Regulatory & Capital:
- Only provides account information services (no payment initiation)
- Share capital: €5,000
Related EU payment and data licences
Key Takeaways for API License in Estonia
- The API license allows PSD2-compliant data access across the EU, enabling firms to offer balance checks, transaction analytics, and B2B financial APIs without holding client funds.
- Ready-made EFSA-licensed companies cost €85,000–€115,000, including €50,000 in paid-up capital, pre-approved AML policies, and a registered local MLRO—ready for acquisition and operational structuring.
- Ongoing compliance requires quarterly filings, annual audits, and live AML documentation, with annual upkeep typically ranging from €4,500–€7,500.
- EFSA may revoke licenses for inactivity, even if filings are current. Buyers must demonstrate live operations within 3–6 months post-acquisition to maintain status.
- Non-residents can apply, but must appoint an Estonian MLRO, maintain a local office, and prepare jurisdiction-specific GDPR/AML systems to pass EFSA review and secure banking.
- Legasset supports both acquisition and full license applications, offering officer recruitment, capital planning, banking coordination, and complete regulatory submission support.
What You Need to Know About the API License in Estonia
Table of Contents
The Account Information Provider (API) license in Estonia is a regulatory approval under PSD2 that allows fintech firms to access and consolidate customer bank account data, with the user’s consent. This license is ideal for businesses offering financial dashboards, personal finance apps, or account aggregation services. It does not permit holding client funds, initiating payments, or offering investment services.
The license is designed for companies that process account information only—meaning they can deliver insights, comparisons, and analytics, but must not perform transactions. Firms are also required to exclude high-risk jurisdictions, maintain data integrity under GDPR, and comply with strict AML/CFT controls.
As of 2025, this license is especially relevant for EU-focused fintechs due to rising demand for secure data-based solutions and full PSD2 enforcement across the EEA. Estonia’s license is passportable, giving access to all EEA markets without reapplication.
Who issues the license, what laws apply, and how Estonia compares
The license is issued by the Estonian Financial Supervision Authority (EFSA) (Finantsinspektsioon), under the Payment Institutions and E-Money Institutions Act. It aligns with Directive (EU) 2015/2366 (PSD2), the Money Laundering and Terrorist Financing Prevention Act, and EU-wide GDPR requirements.
Applicants must:
- Maintain a minimum capital of €50,000
- Appoint a compliance officer and implement written AML procedures
- Register a local office and designate a contact person in Estonia
- Demonstrate technical and operational readiness for secure data access
While Estonia abolished the default minimum capital requirement for private limited companies in 2023, this exemption does not apply to PSD2-regulated entities. The €50,000 must be fully paid in before license issuance.
Taxation is one of Estonia’s key advantages: retained earnings are not taxed, and only distributed profits face a 20% corporate tax, supporting reinvestment and growth.
Acquisition pathways and Legasset’s role
Firms can either apply for a new API license, which typically takes 4-6 months, or acquire a ready-made Estonian company that already holds an active license. Legasset facilitates both routes. We assist with everything from ownership transfer, AML documentation, and board restructuring to EFSA notification filings, helping clients reduce launch time while remaining fully compliant.
Whether you’re building from scratch or acquiring a turnkey structure, we ensure your entry into the EU fintech market is legally sound and regulator-ready.
Eligibility Requirements for Obtaining an API License in Estonia
The Estonia API license is available to both Estonian and foreign-owned private limited companies (OÜ). There are no nationality restrictions for shareholders or directors, but the company must demonstrate credible internal controls, qualified personnel, and a clear business model focused on account information services only.
Applicants must appoint a director with relevant fintech or compliance experience, a local contact person, and a designated MLRO. An Estonian registered office is mandatory.
Capital requirements and financial readiness
The minimum paid-in share capital is €50,000. This must be deposited in full before the license is granted. Although general OÜs in Estonia can now register with near-zero capital, this exception does not apply to regulated firms under PSD2.
Funds must be verifiably sourced, and the company must retain sufficient liquidity to operate. While the capital can be used post-approval, it should not fall below thresholds expected by the regulator.
Local presence and compliance staffing
A licensed API provider must maintain a physical presence in Estonia and ensure local supervision capabilities. This includes:
- A registered office
- A named MLRO
- Documented AML/CFT policies
- A data protection policy in line with GDPR
- Internal risk procedures, logs, and audit trails
Annual audits, EFSA reporting, and real-time suspicious transaction monitoring are required throughout the license lifecycle.
Documentation and application process
The submission package must include:
- Company registration extract and articles
- Proof of capital deposit (bank certificate)
- Business plan with 3-year projections
- AML manual, data security policies, IT architecture summary
- Background checks for all UBOs and management
- Signed internal control structure and governance documents
Foreign documents must be notarized, translated into Estonian, and apostilled. Approval timelines are typically 4–6 months, though delays are common if supporting documents are incomplete or vague.
Real costs and what applicants miss
Beyond the €50,000 capital, firms should budget:
- €10,000–€15,000 for legal and licensing costs
- €3,000–€6,000/year for ongoing audits and filings
- €1,500–€4,000/year for office and local agent costs
What many miss: bank account opening is often the slowest step. Even EU PSPs will subject fintechs to enhanced due diligence. Timelines of 6–8 weeks are typical, and weak AML setups can lead to rejections.
How to mitigate risk and move faster
EFSA expects professional-grade documentation. Firms without prior experience in regulatory compliance, AML audits, or GDPR governance should avoid DIY filings. Most delays come from generic internal policies or unqualified directors.
Legasset supports clients by drafting jurisdiction-ready documentation, sourcing experienced local MLROs, and pre-screening business models before submission—ensuring faster, cleaner approval.
Pros & Cons of Acquiring an API License in Estonia
+ EEA-wide service passporting. Licensed firms can offer account information services across all EEA states without additional local licenses, under Directive (EU) 2015/2366.
+ No corporate tax on retained earnings. Estonia imposes 0% corporate tax on undistributed profits, allowing fintechs to reinvest without erosion—only dividends are taxed at 20%.
+ Defined regulatory scope, low liability exposure. Since API providers don’t touch client funds, they face lower operational risk and can often avoid insurance burdens required for PIs and EMIs.
+ No need for EMI or full PI license. Businesses focused solely on financial data aggregation or insights can operate under the API license—avoiding the higher cost and compliance burden of broader licenses.
+ Predictable EFSA licensing timeline. Estonia’s Financial Supervision Authority follows a transparent review process with average approval in 4–6 months.
+ Ready-made licensed companies available. Legasset offers EFSA-approved entities with pre-installed AML frameworks and local directors, reducing setup time to 6–8 weeks.
+ Strategic fit for data monetization models. Ideal for companies monetizing through insights, user dashboards, account comparisons, or affiliate models—without the burden of payment processing.
– No permission to initiate payments or hold funds. API licensees are restricted to data access—payment initiation requires a separate license under PSD2 Article 66.
– €50,000 capital must be paid upfront. The full amount must be deposited and verifiably sourced before the application is reviewed, despite recent capital flexibility for standard OÜs.
– No revenue from transaction fees or interchange. Firms cannot monetize through card fees, FX spreads, or wallet transactions—only through indirect revenue streams like SaaS or data analysis.
– Bank onboarding is slow and risk-sensitive. Even post-licensing, firms may face 4–8 week onboarding delays with EU banks, especially if UBOs are from outside the EEA.
– Annual audits and EFSA reporting mandatory. Despite the limited license scope, API firms must meet full AML/CFT compliance, conduct annual financial audits, and file quarterly operational reports.
– Technical documentation must be jurisdiction-specific. EFSA rejects off-the-shelf AML manuals, IT security policies, and governance templates that aren’t tailored to Estonian standards.
– Strict GDPR obligations. Firms must document lawful data processing grounds, conduct Data Protection Impact Assessments (DPIAs), and pass infrastructure reviews—especially if data is processed outside the EU.
– No MiCA fallback or upgrade path. API licensees cannot expand into crypto or payments under MiCA without applying for a separate license—there is no built-in transition route.
How to Get an API License in Estonia
There are two ways to enter the Estonian market as a licensed Account Information Provider: applying for a new license or purchasing a ready-made company that already holds one. Both routes require full compliance with the rules of the Estonian Financial Supervision Authority (EFSA) under Directive (EU) 2015/2366 (PSD2).
Legasset supports both paths—from entity formation and regulatory structuring to AML documentation, capital planning, and post-approval audit readiness.
The steps below outline what’s involved in each scenario.
Step-by-Step API Licensing Process in Estonia
- Step 1: Choose between a ready-made company and a new application 6-8 weeks
Decide whether to acquire an existing EFSA-licensed company or apply from scratch. A ready-made entity allows faster market entry, often including pre-approved AML frameworks and local officers.
Key Documents: transfer agreement (ready-made) or incorporation documents (new application).
Estimated Cost: €85,000–€115,000 (ready-made) or €65,000–€90,000 (new license).
Timeline: 6–8 weeks (ready-made), 4–6 months (new application). - Step 2: Incorporate the company and deposit capital 2-4 weeks
Form an Estonian private limited company (OÜ) and deposit the required €50,000 share capital into an operational bank account. This must be completed before EFSA reviews the license file.
Key Documents: company registry extract, shareholder declaration, proof of capital deposit.
Estimated Cost: €500–€1,500 (registration), €1,000–€2,500 (local setup and KYC clearance).
Timeline: depends on banking partner and onboarding timelines. - Step 3: Prepare compliance and technical documentation 3-6 weeks
Compile a full set of internal policies, including a tailored AML program, GDPR plan, IT infrastructure documentation, and operational risk controls. EFSA requires these to reflect the actual business model and management structure.
Key Documents: AML/CFT manual, IT security overview, GDPR policy, three-year business plan, CVs of directors and MLRO.
Estimated Cost: €5,000–€9,000 depending on complexity and whether external consultants are used. - Step 4: Submit to EFSA and undergo review 4-6 weeks
Submit the full license application (or change-of-control package for ready-made companies). EFSA will assess shareholder transparency, governance quality, and internal control robustness. At least one round of clarifications is common.
Key Documents: application form, AML program, UBO documentation, EFSA fit-and-proper forms, organizational chart.
Estimated Cost: €3,000–€6,000 in legal and regulatory coordination.
Timeline: 4–6 months for full license; 4–6 weeks for share transfer approval. - Step 5: Finalize launch setup and begin operations 2-4 weeks after license issuance
Once licensed, firms must implement real-time monitoring tools, complete onboarding with a GDPR-compliant cloud provider, and register with the Estonian FIU. An active MLRO must remain in place at all times.
Key Documents: final EFSA license, internal reporting schedule, proof of operational readiness.
Estimated Cost: €3,000–€5,000/year in recurring compliance costs.
Timeframe & Cost Summary
- New license: 4–6 months | €65,000–€90,000 total
- Ready-made license: 6–8 weeks | €85,000–€115,000 total
- Ongoing compliance: €4,500–€7,500/year
Post-Licensing Compliance Obligations for API License in Estonia
Securing an API license from the Estonian Financial Supervision Authority (EFSA) is only the first step. To remain in good standing, firms must maintain continuous regulatory compliance, undergo audits, report suspicious activities, and update EFSA on structural changes. Failure to meet these obligations can result in license suspension, fines, or full revocation—especially in cases of inactivity or governance failures.
Key Ongoing Compliance Requirements
- AML Monitoring and FIU Reporting
All API licensees must implement a live anti-money laundering framework under the Estonian Money Laundering and Terrorist Financing Prevention Act. The MLRO is responsible for ongoing monitoring, internal review, and timely submission of suspicious transaction reports (STRs) to the Estonian FIU. - Quarterly EFSA Filings and Annual Audit
Firms must submit quarterly operational reports and undergo a full annual audit conducted by an accredited Estonian auditor. Any changes to the business model, directors, UBOs, or capital structure must be notified and, in some cases, pre-approved by EFSA. - Strict Data Governance
Under GDPR, firms must maintain a Data Protection Impact Assessment (DPIA), designate a DPO (if applicable), and ensure audit trails for data access and cross-border processing. EFSA has shown increasing scrutiny of IT infrastructure and cloud dependencies—particularly where non-EU data processors are used. - Inactivity Risk
Firms that fail to onboard clients or demonstrate real operations within months of licensing may be flagged as dormant. EFSA reserves the right to revoke licenses for inactivity, even if formal obligations are met. - Ongoing Compliance Costs
On average, firms should budget €4,500–€7,500/year to cover audits, reporting, AML reviews, and updates to internal policies.
How Legasset Helps You Stay Compliant
Legasset provides post-licensing support through:
- Ongoing AML documentation updates and FIU communication
- Coordination with Estonian audit firms and tax advisors
- Structuring governance updates when adding shareholders or changing directors
- Preparing DPIAs and guiding GDPR implementation across EU and third-country data processors
We remain a strategic compliance partner long after license issuance—helping clients avoid penalties, delays, and enforcement action in Estonia and across the EEA.
Common Pitfalls and Challenges of Operating Under an API License in Estonia
While Estonia offers one of the clearest PSD2 licensing frameworks in the EU, maintaining an API license here comes with operational pressure and strict compliance expectations.
- Banking friction is a serious hurdle. Despite EFSA approval, many EU banks still hesitate to onboard fintechs—especially those without a local team or clear AML flow. Clients have faced 6–8 week delays or rejections when their documentation lacked real-world operations.
- Inactivity risks license revocation. EFSA has revoked licenses for entities that remained dormant—despite filing on time. If you don’t begin onboarding clients or submitting meaningful reports, the license may be pulled within 6–12 months.
- Hiring qualified local officers is difficult. Estonia requires a resident MLRO and often expects at least one operational contact on the ground. Finding someone with PSD2, AML, and regulatory reporting experience is a common delay point—especially for foreign founders.
- Compliance volume is higher than expected. Even for non-transactional firms, API licensees must produce quarterly filings, annual audits, and AML logs. Many underestimate the administrative load and budget only for the licensing phase.
- Tech infrastructure must withstand scrutiny. GDPR enforcement includes system-level inspections. EFSA has delayed approvals due to weak IT documentation, missing Data Protection Impact Assessments (DPIAs), or use of non-EU data processors without safeguards.
How Legasset Helps You Avoid This
We match clients with qualified local MLROs, vet banking providers upfront, and build jurisdiction-specific AML, GDPR, and IT documentation. For ready-made entities, we ensure files are active, clean, and structurally sound—avoiding the common failures that derail early operations.
FAQ About Purchasing an API License in Estonia
What can I legally do with an API license in Estonia?
You can offer account aggregation, balance checks, transaction history, and related data services with user consent. These fall under PSD2 account information services.
You cannot initiate payments or hold client funds—those require a different license.
How much does it cost to buy a ready-made API-licensed company in Estonia?
Expect a total of €85,000–€115,000, including share transfer, compliance updates, and local officer setup. Annual maintenance (audit, filings, AML, MLRO) adds €4,500–€7,500/year.
How long does it take to start operating with an Estonian API license?
Most ownership changes are approved within 6–8 weeks. If banking takes longer, full setup can stretch to 10–12 weeks. Clients without local presence or strong AML files may face additional onboarding delays.
Do I need to be based in Estonia to hold the API license?
No, but you must appoint an Estonia-based MLRO, maintain a local registered office, and meet EFSA’s substance requirements. We help structure compliant setups even for fully foreign-owned businesses.
Can I add payment or crypto services later to my API in Estonia?
No. The API license is not upgradeable. To offer payments, you’ll need a Payment Institution license. For crypto, a separate CASP license under MiCA is required. We advise on license stacking and multi-jurisdiction strategies.
What are the biggest compliance risks post-purchase of an Estonian API?
EFSA may revoke inactive licenses. You must show real operations within months: submit filings, appoint a functioning MLRO, and pass an annual audit. Generic AML/GDPR templates are not accepted. Most failures happen here.
Can Legasset help me apply for an API in Estonia from scratch instead of buying?
Yes. Our team handles both routes: ready-made company transfers and new EFSA applications. We structure capital, recruit local officers, draft AML/GDPR policies, and liaise with regulators.
Additional Links and Resources for API License in Estonia
EFSA’s official page for Account Information Service Providers (AISP), detailing licensing procedures, supervisory requirements, and links to the full application package and PSD2 directives.
II. Estonian Money Laundering and Terrorist Financing Prevention Act
The full legal framework regulating AML/CFT compliance in Estonia. Required reading for MLROs and founders preparing internal AML policies for license maintenance.
III. Estonian Financial Intelligence Unit (FIU) – Obligations
Outlines the reporting duties, suspicious activity guidelines, and AML registration requirements for licensed entities operating in Estonia under financial licenses.
IV. PSD2 Directive – Directive (EU) 2015/2366
The original European Payment Services Directive that governs AISP licensing and supervision across the EU. Includes legal definitions, passporting rights, and security requirements.
V. Estonian Data Protection Inspectorate (DPI)
Official site of Estonia’s data authority. Useful for firms building GDPR documentation, DPIAs, and cloud infrastructure policies tied to API license compliance.
