Sumsub
The Sumsuber

Best practices for KYC/AML

Guides
2022-06-17
6 min read

How to Comply With AML Regulations and Licensing Requirements in Lithuania—an EU Fintech Hub

Everything you need to know if you pick Lithuania as a launchpad for your fintech.

Lithuania has become a European fintech hotspot thanks to its optimized licensing process for e-money and payment services.  Unsurprisingly, this has attracted leading firms to the country, including Revolut—a UK-based unicorn with a $33 billion valuation. 

Anti-Money-Laundering (AML) compliance is an essential requirement for getting licensed in Lithuania. So let’s dive deep into the country’s regulatory and licensing regime.

Highlights

  1. How did Lithuania become a fintech hub?
  2. Licensing requirements in Lithuania
  3. AML regulations in Lithuania
  4. AML obligations
  5. How to get compliant
  6. Key takeaways

How did Lithuania become a fintech hub?

Fintech growth in Lithuania has been driven by Brexit, as fintech start-ups have had to find EU-based alternatives to the UK for their operations within the bloc.  Lithuania has emerged as an attractive jurisdiction thanks to the business-friendly practices of the Bank of Lithuania, which enable companies to: 

  • obtain a license in just 3 months; 
  • test innovations in a live environment through a regulatory sandbox; 
  • obtain full SEPA reachability via CENTROlink—a payment system operated by the Bank of Lithuania;
  • get a financial institution code for their own IBAN accounts.

Currently, Lithuania has licensed over 250 fintechs including EMI sector leaders like Revolut, Shift4 Payments, Contis, TransferGo, and others. The country is also within the top 10 of the Global Fintech Ranking.

Licensing requirements in Lithuania 

Lithuania offers an optimized licensing process for payment institutions (PIs) and e-money institutions (EMIs). The licensing rules are described in Resolution № 238 on the authorisations granted by the Bank of Lithuania to Electronic Money Institutions and Payment Institutions (“the Resolution”). 

To apply for a license, businesses must fill in the application form provided in Annex 1 (for EMIs) and Annex 2 (for PIs) of the Resolution and prepare a package of documents. This includes:

  1. Documents confirming legal status;
  2. Document confirming the payment of the license fee:
  1. Program of operations (according to Annex 6 of the Resolution);
  2. Business plan (according to Annex 7 of the Resolution);
  3. Evidence of the required amount* of initial capital, such as either of the following:
  • A set of annual financial statements of the previous financial year;
  • An extract from a public register specifying the registered capital; 
  • A statement from a savings account issued by a bank or other credit institution licensed to provide financial services in Lithuania;
  1. Description of internal controls (according to Annex 9 of the Resolution);
  2. Description of measures of safeguarding customer funds (according to Annex 8 of the Resolution);
  3. Description of organizational structure (according to  Annex 10 of the Resolution);
  4. Description of internal AML/CFT procedures (according to Annex 12 of the Resolution).
  5. Professional indemnity insurance contract or equivalent documents.

The full list of documents and requirements are provided in the Resolution, the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions and the Republic of Lithuania Law on Payment Institutions.

*Initial capital requirements depend on the type of license, namely:

  • EMI—€350,000;
  • PI—from €20,000 to €125,000; 

The amount of initial capital needed for a PI license depends on the services that the applicant intends to provide. The list of services can be found in Article 6 of the Republic of Lithuania Law on Payments. The corresponding amounts of initial capital are described in Article 14 of the Republic of Lithuania Law on Payment Institutions.

Application process

The license issuing process takes on average 3 months and includes several steps:

  1. The applicant meets with the Bank of Lithuania to discuss the service’s business model and potential risks (this step is not mandatory but a recommendation from the Bank of Lithuania);
  2. The applicant submits an application form to the Supervision Service of the Bank of Lithuania. The review takes five business days*;
  3. The Bank of Lithuania examines the application and takes a decision about the issuance or refusal of a license.

*In cases when documents are unsubmitted or submitted with deficiencies, the application period may be extended.

All in all,  getting licensed as an EMI and a PI in Lithuania entails significantly lower incorporation and operational costs compared to other European countries. At the same time, licensed businesses must сomply with the Lithuanian AML regulations. Below, we’ll talk about these obligations in detail.

AML regulations in Lithuania

Who’s affected

Lithuania’s AML law targets “financial institutions” and “other obliged entities” operating or willing to operate in Lithuania. Namely, the regulated businesses include:

Financial institutions:

  • credit institutions;
  • payment institutions;
  • e-money institutions;
  • currency exchanges;
  • crowdfunding platforms;
  • peer-to-peer lending platforms;
  • insurance companies;
  • investment companies.

Branches of foreign financial institutions established in Lithuania are also subject to the Lithuanian AML scope. This includes e-money and payment institutions whose head office is in another EU Member State providing services in Lithuania via branches or agents.

Other obliged entities:

  • virtual currency exchanges;
  • custodian virtual currency wallets;
  • auditors;
  • judicial officers;
  • accounting or tax advisory services;
  • notaries services;
  • gaming companies and lottery companies;
  • art dealing services.

For a full list of “other obliged entities”, check out Article 2, paragraph 10 of Law on the Prevention of Money Laundering and Terrorist Financing.

Who’s the regulator

There are two main supervising authorities for fintech companies in Lithuania:

  1. The Bank of Lithuania issues instructions for businesses and supervises their AML measures;
  2. The Financial Crime Investigation Service (“the FCIS”) is the authority to which businesses must report suspicious monetary operations and transactions. Businesses must also notify the FCIS about compliance officer appointments within seven working days from the date of their designation.

AML obligations

Under Lithuanian AML law, businesses must: 

  1. Implement AML policies and procedures;
  2. Conduct Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD); 
  3. Comply with requirements for face-to-face and remote identification;
  4. Conduct ongoing monitoring of the customer’s business relationship and transactions;
  5. Appoint a Money Laundering Reporting Officer (MLRO), conduct audits, controls, and staff trainings;
  6. Report to the Financial Crime Investigation Service (FCIS);
  7. Store information on business relationships and transactions.

The Bank of Lithuania provides businesses with guidelines on AML measures in the Amending resolution № 03-17 of the board of the Bank of Lithuania of 12 February 2015 on the approval of the guidelines on the prevention of money laundering and/or terrorist financing. 

How to get compliant

Customer Due Diligence requirements

Customer Due Diligence (CDD) is the process of identifying customers/beneficial owners and verifying their identity. CDD also includes obtaining information on the purpose and intended nature of the business relationship or transaction. According to the AML law, businesses in Lithuania must undertake CDD before: 

  1. Establishing a business relationship;
  2. Carrying out transactions equal to or exceeding €15,000 in value (via a single operation or several linked operations);
  3. Buying or selling cash equal to or exceeding €3,000 in value (via a single operation or several linked operations);
  4. Providing money remittance services in cash equal to or exceeding €600 in value;
  5. Executing and accepting money transfers in compliance with the provisions of Regulation (EU) No 847/2015;
  6. Carrying out operations in virtual currency equal to or exceeding €1,000 in value (via a single operation or several linked operations):
  • exchange operations or transactions; 
  • depositing to or withdrawing virtual currency from a depository virtual currency wallet.

Additionally, CDD measures are required when there are doubts over the authenticity of KYC data previously obtained from the customer. Other cases mandating CDD are described in Article 9, Paragraphs 2-10 of the AML Law.

KYC requirements

Know Your Customer (KYC) as a part of CDD is the process of identifying and verifying customers. The AML Law describes the information that businesses must obtain from natural and legal persons for their identification and verification.

Identification of natural persons

When the customer is a foreigner, the personal number can be replaced by any other unique identifier or date of birth. Also, in case of foreign customers, businesses must obtain information on their residence permit, namely its number, place and date of issuance, and validity period.

Identification of legal persons

When identifying legal entities businesses must identify their beneficial owners.

The beneficial owner is a person who directly or indirectly owns more than 25% of a company’s capital/voting rights or otherwise exercises ultimate control over it.

Identification of beneficial owners

When identifying a beneficial owner, businesses can use the Information System of Legal Entities Participants (JADIS) or other state registers to assure the validity of the obtained data. Businesses can also ask customers to indicate public sources that could validate information about their beneficial owner(s).

Remote KYC requirements

The AML law describes cases when businesses are allowed to identify and verify customers and beneficial owners without their physical presence. This includes cases when:

1. Using verification data obtained from other financial institutions or obliged entities if they meet two conditions:

  • they immediately provide to businesses all KYC data upon request;
  • they immediately provide to businesses copies of the KYC documents;

In this case, it is still the businesses’ responsibility to comply with the CDD requirements and the AML law.

2. Using remote verification solutions operating under the electronic identification schemes with high or substantial assurance levels under Regulation (EU) No 910/2014 (“eIDAS Regulation”);

3. Obtaining a qualified electronic signature under the eIDAS Regulation to confirm a person’s identity;

4. Verifying the customer’s identity documents via a video call. In case the customer’s face is not recorded during the video, their identity must be validated by an advanced electronic signature (according to Article 26 of the eIDAS Regulation);

5. Ensuring that the customer’s first payment comes from an account linked to an EU credit institution or credit institution of a third country applying the same AML standards. This can only be done by simultaneously obtaining a paper copy of the customer’s ID, in case the copy is notarised or certified by a local chief or a consular officer.

Reporting suspicious transactions

During CDD and ongoing monitoring, businesses must pay attention to suspicious transactions. This includes, but not limited to:

  • Unusually large transactions;
  • Transactions conducted in an unusual pattern;
  • Transactions that do not have an apparent economic or lawful purpose;
  • Business relationships or operations with customers from third countries where AML/CTF measures are insufficient.

When businesses detect a suspicious transaction, they must take the following steps:

  1. Suspend or freeze the transaction;
  2. Report this transaction to the FCIS no later than within three working hours from the suspension of the transaction.

Key takeaways

Lithuania is one of the most attractive jurisdictions in the EU in terms of payment and e-money institution licensing due to its fastest licensing process, newcomer program, and the friendly investment and start-up environment. At the same time, Lithuania made significant progress in combatting  money laundering and terrorist financing, underscoring the importance of compliance for fintechs willing to enter this country.   To truly benefit from this promising fintech hub,  businesses should ensure they’re meeting all the current and future regulations that Lithuania rolls out.

Where to find out more:

  1. Bank of Lithuania—EMI licensing requirements
  2. Bank of Lithuania—PI licensing requirements
  3. Bank of Lithuania—Recommendations for license applicants
  4. Lithuania’s Centre of Excellence in Anti-Money Laundering

Let us help your company stay compliant with AML/KYC regulations in Lithuania. Get in touch with us today.

See Sumsub in action

Share

Tell us about your business goals and we’ll come back with a tailored solution

Book a demo