How to Launch a New Online Bank in 2025, part 1

Launching an online bank in 2025 isn’t just a wild fintech dream anymore. It’s a real, regulated path that founders, product people and even traditional businesses are taking—whether as full banks, payment/e-money institutions or “banking-as-a-service” platforms.

But here’s the catch: behind every slick app and metal card sits a dense web of regulation, supervisors and capital requirements. In this guide, we’ll walk through what it actually takes to launch a new “online bank” today, in human language—and point you to official sources so you can go deeper on your own.

First question: do you really need a “bank”?

Before you think about colours for your card, you need to decide what you actually want to be.

In regulatory language, “online bank” can mean a few different things:

• A fully licensed credit institution (a traditional bank, but digital-only)
• A payment institution or electronic money institution (EMI) under EU rules
• A non-bank lender or fintech partnering with a licensed bank (banking-as-a-service)

In the EU, most of the rails for payment services are set by the Payment Services Directive (PSD2) and soon its successor, PSD3, plus a new Payment Services Regulation (PSR). You can see the European Commission’s overview of payment services and the upcoming “payments package” here:Payment services – European Commission European Commission Finance

If you go for a full banking licence in the EU, capital requirements start in the millions of euros. Under the EU Capital Requirements Directive/Regulation, the minimum initial capital for a credit institution is generally 5 million euro (some limited exceptions can be allowed at 1 million+). bankingsupervision.europa.eu

If instead you build as a payment institution or EMI, the initial capital can be significantly lower and is set in Article 7 of PSD2 (e.g. 20k, 50k or 125k EUR depending on the services).

In other words: “online bank” is a brand. Regulators care whether you’re a bank, a payment institution, an EMI, a credit provider, or something else—and each path has its own rules.

Why build your own banking stack at all?

It’s a fair question. With so many BaaS platforms and “white-label banking” solutions, why bother with licences and supervisors?

A few reasons founders still go for it:

• You keep more of the economics instead of sharing margin with a partner bank.
• You control the product roadmap instead of being blocked by someone else’s API.
• You can passport services across the EU (if authorised there) or scale in the US with your own charter.
• You build a regulated asset that investors understand and value.

The trade-off: more capital, more scrutiny, more responsibility.

What your future supervisor will care about

Across jurisdictions, supervisors look at roughly the same themes, even if the acronyms change.

1. Money and where it comes from

Supervisors don’t just ask, “Do you have enough?” but also, “Where did it come from?” and “Is it stable?”

• In the EU, payment institutions must show initial capital and ongoing own funds, with details set in PSD2 and fleshed out in the European Banking Authority’s Guidelines on authorisation. European Banking Authority
• For full banks, European banking supervision (ECB + national authorities) expects initial capital to be fully paid up and of good quality, as described in the ECB’s guide to licence applications. bankingsupervision.europa.eu
• In the US, the FDIC’s Handbook for Organizers of De Novo Institutions makes clear that new banks need not just capital but “appropriate capital support” over time—not just a one-off cheque. FDIC

So yes, you need money—but you also need a coherent story around investors, ownership and long-term solvency.

2. Who your customers are

Regulators expect you to know your target market better than any pitch deck bullet point:

• Which segments are you serving (students, SMEs, freelancers, migrants, gig workers)?
• What risks come with those segments (high chargeback risk, cross-border flows, cash-intensive businesses)?
• How will you onboard and monitor them (KYC, transaction monitoring, sanctions screening)?

The EBA’s authorisation guidelines explicitly require a three-year business plan, detailed financial projections and a clear description of target customers and products.

If you can’t explain your customers simply, you’re not ready.

3. Governance and internal structure

Supervisors don’t authorise products. They authorise institutions—people, committees, lines of defence.

Expect to answer questions like:

• Who sits on your board and what experience do they bring?
• Who is responsible for risk, compliance and internal audit?
• How do you avoid one person “wearing all the hats” in practice?

Under PSD2, the EBA requires payment institution applicants to show a “structural organisation, governance arrangements and internal control mechanisms” that are proportionate but robust.

In de novo bank applications in the US, the FDIC and Federal Reserve have similar expectations around experienced management and a “fit and proper” board.

4. Technology, security and resilience

You can’t be an online bank with a fragile tech stack.

• Card data has to meet PCI DSS standards if you’re handling card details.
• Payment rails must be resilient and meet local requirements (for example, instant payments rules in the EU).
• Supervisors increasingly expect robust cyber-security, incident response and outsourcing oversight.

The EU’s new payments package (PSD3/PSR) and broader digital finance rules are moving towards more harmonised supervision of IT and fraud risks across payment providers. European Parliament

In practice, this means you should think about a proper SOC, incident playbooks, tested backups and realistic capacity planning—not just pretty screens.

How long does it really take?

The original “18 months” rule-of-thumb is not far off—but it depends a lot on:

• your chosen licence type
• your jurisdiction
• how prepared you are when you hit “submit”

For context:

• The FDIC’s materials for new banks describe a multi-stage process: business plan, pre-filing discussions, formal application, review, and then an extended period of supervisory attention after authorisation.
• In the EU, experience under PSD2 shows that authorisation of payment and e-money institutions often takes many months, especially if the initial file is incomplete and authorities request further information. The EBA has even done a peer review noting big differences in timelines and expectations between Member States.

If you build from scratch, 12–24 months from first whiteboard to customers holding your cards is a realistic range.