EOR for Fintechs: Regulated Roles That Can and Cannot Sit on EOR Paper

A US fintech pursuing a UK Electronic Money Institution authorization, an Irish e-money branch, and a DNB-supervised Dutch presence does not have a generic global-hiring problem. The FCA, the Central Bank of Ireland, and De Nederlandsche Bank each maintain a list of regulated functions where the individual must be approved by the regulator before taking the role, and where personal liability runs directly from the regulator to the human. Putting those people on third-party employment paper is a category error.

The accurate answer for a fintech in the authorization window is a matrix: some roles must sit on the licensed entity from day one, others sit cleanly on EOR paper for years, and a third set sits on EOR until a milestone forces migration. This article is that matrix, with the regulatory citations behind each line, and the migration playbook timed to authorization. It sits inside the broader tech EOR thesis.

The hiring problem fintechs actually have

Four pressures show up consistently.

Authorization timelines force pre-hires. The FCA must decide on a complete EMI application within three months of receipt, but a complete file requires a fully-staffed governance structure. The Head of Compliance, MLRO, safeguarding lead, and executive directors all have to be named and proposed for approval before the FCA treats the file as complete. The same shape repeats for Irish PCF approvals and Dutch DNB fit-and-proper assessments. Regulated leadership has to be hired before the license, before the local entity can carry the headcount, and before revenue justifies the run-rate.

EU presence is rarely one country. A US fintech opening EMEA usually wants UK plus at least one EU member state for passporting. Ireland and the Netherlands come up most often; Lithuania has become the largest EU EMI hub by license count. The controlled-function regimes are not harmonized.

The regulator is reading the org chart. A Statement of Responsibilities for an SMF describes responsibilities at "the firm." If the SMF is not employed by the firm, the document raises a question that takes the application off the standard track.

DORA put ICT third parties under the same lens. DORA's register of information, with first submissions due January 31, 2026 for 2025 data, requires disclosure of ICT third-party service providers and their supply chains. EOR-employed engineers are not ICT third parties in the DORA sense, but a sloppy contract structure can blur that line.

Why SMF, PCF, and equivalent roles cannot sit on EOR paper

An Employer of Record is a third party that legally employs a worker on behalf of the company directing the worker's day-to-day output. For most tech roles that is the end of the question. For SMFs, PCFs, Geschäftsleiter, and F&P-tested board roles, three structural reasons make EOR the wrong instrument. Any one would be enough.

The Statement of Responsibilities mismatch. Every SMF has a Statement of Responsibilities submitted to the FCA on approval, attesting to responsibilities the individual personally holds at the firm. The Duty of Responsibility under FSMA exposes the SMF to direct enforcement if the firm breaches a relevant requirement. A Statement of Responsibilities that says "responsible for compliance at FintechCo" while the individual's employer of record is a third-party Dutch BV is not prohibited in the Handbook, but it triggers a bespoke conversation with the FCA's authorization team. Firms in the authorization window cannot afford that conversation.

The regulatory reference chain. Under SYSC 22 of the FCA Handbook, a firm appointing an SMF or Certified individual must obtain regulatory references covering the previous six years from each previous employer in scope. A firm that hires a Senior Manager via EOR is not the legal employer for SYSC 22 purposes; the EOR is. That breaks the reference chain in both directions. The FCA expects references to mirror the SYSC 22.2 template and to be provided within six weeks.

MLRO personal liability under MLR 2017. Under POCA 2002 and the Money Laundering Regulations 2017, failure to disclose known or suspected money laundering where the obligation has crystallised is a criminal offence carrying up to five years' imprisonment and an unlimited fine. The Norton Rose analysis notes that retaining a suitable MLRO is hard precisely because the role carries personal liability few other functions match. The Eversheds Sutherland summary of FCA guidance on competence and capability is explicit that internal compliance capability cannot be outsourced; applications where third parties act as the firm's principal compliance resource "tend to fail." The FCA Handbook does not explicitly forbid EOR for SMF17, but the practical reading is unambiguous.

The same logic, with different statutory citations, applies to Irish PCFs, Dutch DNB-tested roles, BaFin Geschäftsleiter, and Bank of Lithuania equivalents.

The regulated-role matrix

This is the load-bearing exhibit. The table classifies common fintech roles across the four major Western European fintech jurisdictions plus Lithuania. "EOR-eligible" means the role can sit on EOR paper without triggering a regulator-individual approval requirement. "Licensed entity" means the role must, in practice, sit on the firm's own licensed payroll.

The matrix is a framework, not advice. Specific role scoping should be reviewed by FCA, CBI, DNB, BaFin, or Bank of Lithuania counsel for any actual hire.

In the licensed-entity rows, the cell shows the regulator's designation; all such roles must sit on the firm's own licensed payroll.

Two call-outs.

The "non-certified" qualifier matters. A senior risk analyst is EOR-eligible only if the firm does not certify them under the FCA Certification regime as performing a function that could cause significant harm. If the firm intends to certify them, they need to be on the firm's payroll, since the firm is doing the certifying. The same logic applies to the Irish CF regime and DNB's broader F&P scope.

Geschäftsleiter is a hard line in Germany. Under BaFin Circular 11/2025, effective for examinations from January 1, 2026, time availability cannot fall below 50%, German or English language sufficient for direct regulator communication is required, and IT and cyber competence is mandatory. The role cannot be intermediated.

Country-by-country read

United Kingdom (FCA SMCR). Three tiers: Senior Manager Functions, the Certification regime for individuals who could cause significant harm, and Conduct Rules. SMF approval is by the FCA before the individual takes the role, on a Form A and Statement of Responsibilities. For an EMI applicant, SMF1, SMF3, SMF16, and SMF17 must be named and approved as part of the authorization file. New FCA safeguarding rules take effect May 7, 2026.

Ireland (Central Bank of Ireland F&P). Pre-Approval Controlled Functions (PCFs) require CBI pre-approval; a broader Controlled Function (CF) tier the firm self-assesses sits underneath. The CBI revised the F&P Guidance effective November 20, 2025 and on January 28, 2026 added PCF-56 (Head of Safeguarding for PI / EMI) and PCF-57. For a US fintech authorizing as an Irish EMI, PCF-56 must be CBI-approved before the file is complete.

Netherlands (DNB and AFM). Fitness-and-propriety regime for management and supervisory board members at regulated institutions, with DNB the prudential lead. Fitness covers knowledge, skills, behavior; propriety covers criminal, financial, supervisory, tax antecedents. Fees are EUR 2,000 for fitness, EUR 1,100 for propriety. In-scope roles sit on the Dutch entity; everything outside F&P scope is EOR-eligible.

Germany (BaFin). Anchored in the Banking Act (KWG). BaFin Circular 11/2025, effective January 1, 2026, tightens fit-and-proper requirements for Geschäftsleiter and supervisory body members: time availability above 50%, German or English sufficient for direct regulator communication, mandatory IT and cyber competence. The German termination and works-council mechanics apply on the EOR side too; that is a TCO conversation, not a regulated-role conversation.

Lithuania (Bank of Lithuania). Bank of Lithuania-supervised EMIs number more than 80, making Lithuania the largest EU EMI hub by license count post-Brexit. Full EMI processing is 3 to 6 months; minimum initial capital is EUR 350,000 under EMD2. The Bank of Lithuania runs its own fit-and-proper assessment for board and senior management. A Lithuania-licensed EMI passports into all 30 EU / EEA states.

Regulated-adjacent roles where EOR fits cleanly

For a Series-C fintech, these are the roles where EOR is the right answer, often for years.

The honest test is the Statement of Responsibilities test in reverse. If you cannot imagine the regulator asking who is personally responsible at the firm for what the role does, the role is EOR-eligible.

The DORA question for ICT roles

DORA went live January 17, 2025, with first register-of-information submissions due January 31, 2026 for 2025 data. The register requires details of each ICT third-party service provider, supply chain mapping, and assessment of services supporting critical functions, with LEI or EUID identifiers.

Does an EOR carrying engineering or risk-tech staff count as an ICT third-party? In our reading, no. An EOR is the legal employer of an individual who works on the financial entity's systems; it is not itself an ICT service provider. ICT third parties under DORA are providers of cloud, data centre, hardware, telecom, analytics, IT consulting, or software services. EOR staff are part of the financial entity's directed workforce.

Two contract requirements make that conclusion read cleanly. First, the MSA should be explicit that the EOR provides employment services and that all ICT work direction, system access, code review, and output ownership runs to the financial entity. Second, if the arrangement also includes outsourced IT services (managed help desk, infrastructure operations, dev-ops-as-a-service), treat those as ICT third parties in their own right and register them; mixing managed services into an EOR contract is a DORA register problem.

Aggregator-model EORs, where the worker's legal employer is a partner entity rather than the contracting EOR, complicate the chain enough that we recommend owned-entity providers for any client with DORA exposure.

Background-check depth: FCA expectations vs EOR standard

Standard EOR onboarding covers right-to-work, identity, employment history (commonly two to three previous employers), and country-standard criminal checks. For most engineering, product, and GTM hires, that is sufficient.

For SMF and Certification roles, SYSC 22 requires regulatory references covering the previous six years from each previous employer in scope, in the SYSC 22.2 template format, plus full criminal record, credit history, sanctions screening, and financial-services-specific employment history.

The contractual gap matters for regulated-adjacent EOR roles. For SMFs and Certified individuals on the licensed entity, the firm runs the FCA-grade checks itself. For EOR-employed roles (a fraud engineer, a non-certified risk analyst), specify in the MSA that background-check depth meets FCA expectations, that the screening provider is acceptable to the firm's compliance function, and that adverse findings are escalated rather than absorbed by the EOR. Most owned-entity EORs will extend their package on request; aggregator providers often cannot. Ask before signing.

What to look for in an EOR partner for fintech

Five criteria matter more than for a generic tech buyer.

1. Owned entities in the fintech-relevant jurisdictions. UK, Ireland, Netherlands, Germany, Poland, Lithuania, Portugal, Spain, Estonia, plus the LATAM and APAC countries you want for GTM. Aggregator coverage adds a second legal employer between you and the worker; for DORA register purposes and clean exit migration, owned-entity is materially better.
2. Contractual clarity on direction-of-work. The MSA should read to your General Counsel as a clean employment-services contract, with no language suggesting the EOR operates ICT systems or provides managed services.
3. Background-check depth on demand. The provider should be able to run, or accept the output of, FCA-grade checks for regulated-adjacent roles. A provider that responds "we run our standard package" without scoping up is not the right provider.
4. Migration playbook to your licensed entity, in writing. When the FCA grants authorization and you need to move EOR-employed individuals onto entity payroll, the handover has to be clean enough to preserve continuity of service for SYSC 22 purposes.
5. Payroll funding model. Some providers require pre-funded payroll; others invoice in arrears. For a fintech with constrained working capital during the authorization burn, the difference is material.

Borderless AI operates on an owned-entity model across 170+ countries, invoices payroll without requiring pre-funded salary deposits, and runs in-house support from North America. The fintech pattern we see most often: regulated leadership on the licensed entity (carried by local employment counsel), the rest of the team on EOR until country thresholds justify entity ownership. Other providers are worth evaluating; the criteria matter more than the brand.

The first 90 days for a fintech using EOR alongside authorization

• Days 1 to 7. Provider verification (entities in UK, IE, NL, DE, PL or LT depending on plan; SOC 2; data handling). Role-by-role classification against the matrix, in a meeting that includes General Counsel and the FCA application advisor. MSA signed with explicit direction-of-work language.
• Days 7 to 21. First country live for EOR-eligible roles. Background checks at fintech-appropriate depth. In parallel, licensed-entity hiring tracks for SMF / PCF / DNB / BaFin roles, run via local employment counsel and the firm's own payroll.
• Days 21 to 45. Payroll cycle one for EOR roles. Statement-of-Responsibilities drafting for SMF candidates with FCA application advisor. SYSC 22 reference requests sent. PCF / F&P questionnaires drafted for IE / NL hires. DORA register draft begins.
• Days 45 to 90. Second country onboarded. EOR-to-entity migration plan drafted in writing for the country where the authorized entity will sit. SMF approvals submitted; PCF approvals submitted; DNB / BaFin pre-applications opened.

The EOR-eligible side and the licensed-entity side run in parallel from day one. By day 90 the authorization file should be substantially built.

Cost and timeline: licensed entity vs EOR vs contractor

Numbers are typical ranges, not quotes.

A useful heuristic: EOR is usually cheaper below 8 to 15 EOR-eligible employees per country; entity ownership is usually cheaper above that. The licensed-entity track is governed by the authorization itself rather than headcount. Germany pushes the EOR-to-entity threshold lower because of works-council and statutory employer load.

EOR-to-licensed-entity migration playbook

This is the part most EOR content does not write down. Two migrations run in parallel.

Migration 1: SMF / PCF / Geschäftsleiter / F&P-tested roles. These were never on EOR paper if the matrix was followed. They were hired directly onto the licensed entity from day one. At authorization, the Statement of Responsibilities goes live, the regulator's approval becomes effective, and the role starts in its full statutory form. No migration is needed.

Migration 2: EOR-employed regulated-adjacent and operational roles, selectively. Once the licensed entity is live and the firm decides that owning the entity is cheaper than renting it for the local team, EOR-employed individuals migrate onto the firm's own payroll. Step-by-step:

1. Decide which roles migrate. Not all do. A fraud engineer in Lisbon may stay on EOR for years even after a UK entity is live, because there are not enough Portugal-based hires to justify a Portuguese subsidiary. Run the threshold per country.
2. Notice and consultation. UK TUPE typically does not apply to a single-individual migration, but the practical effect should be similar: continuity of service and terms, clean paper trail. In NL and DE, works-council notification may apply.
3. Continuity of service for SYSC 22. For UK regulated-adjacent hires who later become Certified or SMF, the firm needs to provide a regulatory reference covering the previous six years including the EOR period. The EOR confirms in writing the start date, role, conduct, and any relevant findings; the firm documents continuity from the EOR start date forward. Build this paperwork into the MSA at signing, not at migration.
4. Equity and benefits. Most fintechs run NSO grants for EOR-employed individuals and migrate to UK EMI options once on the UK entity, where eligible.
5. Payroll handover. Last EOR pay date and first entity pay date coordinated to avoid double-pay or zero-pay weeks. Tax codes, social-security continuity, benefits enrollment all in the same window.
6. Regulator notification, if relevant. If a migrated individual is being uplifted to Certified or proposed for an SMF, notification follows the standard SMCR or PCF process. The migration itself is not a regulator event.

A clean migration playbook is part of what to ask for when evaluating EOR providers.

A practical decision frame

Sequencing is almost always the same: build licensed-entity headcount and EOR-backbone headcount in parallel during authorization; migrate selectively after authorization where the country threshold justifies it.

Important disclaimer

This article is a framework, not regulatory advice. The matrix and the migration playbook reflect market practice we see across fintechs in the FCA, CBI, DNB, BaFin, and Bank of Lithuania authorization tracks. Specific role classification, Statement of Responsibilities drafting, F&P questionnaire submission, and authorization strategy should be reviewed by counsel qualified in the relevant jurisdiction for any actual hire. Nothing here substitutes for FCA, CBI, DNB, BaFin, or Bank of Lithuania advice on a specific case.

FAQs

Can a fintech hire its MLRO via EOR?

In market practice, no. The MLRO (SMF17 in the UK, PCF-15 / PCF-52 in Ireland, equivalent F&P roles in NL and BaFin-supervised roles in DE) carries personal regulatory and criminal liability under MLR 2017. The role sits on the licensed entity's payroll. The FCA does not explicitly prohibit EOR for SMFs in the Handbook, but the Statement of Responsibilities, SYSC 22 reference chain, and competence-and-capability expectations make it impractical.

Can a fintech hire an SMF16 (Head of Compliance) via EOR?

Same answer. The FCA's competence and capability expectations are explicit that the firm's internal compliance capability cannot be outsourced.

Can an Irish PCF role sit on EOR paper?

No. PCF roles require CBI pre-approval before appointment, on a fitness-and-probity questionnaire. PCF-56 (Head of Safeguarding for PI / EMI), added in 2026, follows the same logic.

Are software engineers and risk analysts EOR-eligible?

Yes, as long as they are not Certified under the FCA Certification regime, not PCF or CF designated in Ireland, not F&P-tested in the Netherlands, and not Geschäftsleiter under BaFin. Specify FCA-grade background-check depth in the MSA for regulated-adjacent roles.

Does DORA stop a fintech from using an EOR?

No. An EOR is an employment-services provider, not an ICT third-party in the DORA sense. With direction-of-work and output-ownership language explicit in the MSA, EOR-employed engineers are part of the financial entity's directed workforce and do not enter the DORA register as ICT third parties.

How do FCA-grade background checks work for regulated-adjacent EOR roles?

Specify in the MSA that depth must include SYSC 22-equivalent regulatory references covering six years where applicable, full criminal-record check, credit history, and sanctions screening. Most owned-entity EORs can extend their package; aggregator providers often cannot.

Is Lithuania a workable jurisdiction for a US fintech entering EU?

Yes. The Bank of Lithuania supervises more than 80 EMIs, full EMI processing is 3 to 6 months (fastest in the EU), and a Lithuanian EMI passports into all 30 EU / EEA states. The fit-and-proper assessment runs on the Lithuanian entity; EOR carries the rest of the team across whichever EU country the candidate lives in.

Further reading

• How Tech Companies Are Turning to Employer of Record Services
• How US SaaS companies build their first EMEA team with EOR
• Contributor to employee: the EOR playbook for open-source companies
• Why medical companies are turning to Employer of Record services

Where this leaves fintechs in the authorization window

The EOR-or-not question for a fintech is the wrong question. The right question is which roles, and the answer is a matrix. SMFs, PCFs, Geschäftsleiter, F&P-tested board roles, and FCA-Certified individuals sit on the licensed entity. Almost everything else, the engineers, the designers, the non-certified analysts, the ops managers, the commercial hires, sits on EOR paper for as long as country thresholds make that the right call. The clean structure runs both tracks in parallel from day one of authorization build-out and migrates selectively after authorization.

If you are a fintech in the FCA, CBI, DNB, BaFin, or Bank of Lithuania authorization track and want a specific conversation about the matrix, the DORA contract structure, the background-check depth, or the migration playbook, Borderless AI's fintech team is set up for that conversation.