A Summary of Bank of Lithuania's Dear CEO Letter, 2021.

Agenda
 Introduction
 Background
 Strategic Direction
 Compliance Requirements
 Best Practices
 Conclusion
 Links
Introduction
Welcome to the presentation on Regulatory Expectations for FinTech
Companies.
 In this session, we'll explore a communication from the Bank of
Lithuania addressing regulatory expectations for electronic money and
payment institutions.
 We'll discuss key objectives outlined in the Dear CEO letter and its
implications for the FinTech sector.
Let's begin by understanding the context and importance of regulatory
compliance in the evolving financial landscape.
Background
 The Bank of Lithuania issued a Dear CEO letter to electronic money
and payment institutions in Lithuania, outlining regulatory
expectations for governance, internal control, and compliance culture
enhancement.
 Emphasis was placed on compliance with legal requirements and the
alignment of business expansion with operational readiness. Personal
accountability of company managers was underscored, with increased
attention to management assessment.
 The letter forms part of planned supervisory measures to mature the
FinTech sector and strengthen compliance culture, aligning with the
Bank of Lithuania's strategic directions for 2021-2024.
Strategic Directions
 The Bank of Lithuania's strategic directions for 2021-2024 prioritize the
maturity and compliance culture within the FinTech sector.
 Regulatory oversight and adherence to legal requirements are
emphasized as fundamental pillars for sustainable growth and
development.
 The strategic focus aligns with the broader objective of fostering a
robust and responsible financial ecosystem that instills trust and
confidence among stakeholders.
Compliance Requirements
1. Strengthening of Governance, Internal Control, and Compliance Culture
 Creation of internal control mechanisms
 Adaptation of internal control processes, policies, and procedures
 Implementation of risk management strategy
 Appointment of key personnel: compliance officer, information security officer, anti-money laundering
officer
 Importance of Compliance with Legal Requirements

2. Adherence to regulatory requirements related to money laundering, terrorist financing, equity

capital, internal control, etc.
 Timely implementation of measures outlined in regulatory documents
 Prospective Approach to Supervision

3. Proactive identification of potential risks

 Early measures to eliminate identified risks
 Focus on continuous improvement and adherence to regulatory standards
Compliance Requirements
1. Strengthening of Governance, Internal Control, and Compliance Culture
 Creation of internal control mechanisms
 Adaptation of internal control processes, policies, and procedures
 Implementation of risk management strategy
 Appointment of key personnel: compliance officer, information security officer, anti-money laundering
officer
 Importance of Compliance with Legal Requirements

2. Adherence to regulatory requirements related to money laundering, terrorist financing, equity

capital, internal control, etc.
 Timely implementation of measures outlined in regulatory documents
 Prospective Approach to Supervision

3. Proactive identification of potential risks

 Early measures to eliminate identified risks
 Focus on continuous improvement and adherence to regulatory standards
Important requirements in practice
Protection of Client Funds
• Implementation of internal procedures to safeguard client funds and periodic revision of these
processes.
Due Assurance of Capital Requirements
• Continuous monitoring of equity requirements to ensure financial stability and resilience.
Data Reliability and Timely Submission of Reports
• Establishment of effective internal control procedures for accurate and timely submission of reports.
Outsourcing of Business Functions
• Proper management and oversight of outsourcing agreements to maintain control over critical
functions.
Handling Customer Complaints
• Adherence to established procedures for efficient investigation and resolution of customer complaints.
Money Laundering and Terrorist Financing Risk Management
• Integration of risk management practices to mitigate the risks associated with money laundering and
terrorist financing.
1.Information and communication technologies and
security risk management.
• Include ICT and security risk management in overall internal control system
• Approve ICT strategy and base risk management on three defense lines model
• Create and implement information security policy and conduct security tests
• Establish ICT incident and issue management process
• Implement management processes for ICT projects and modifications
• Develop reliable business continuity management process
• Classify business functions, auxiliary processes, and information resources by importance
• Assess ICT and security risks at least once per year
• Submit operational and security risk assessment report to Bank of Lithuania
• Report submission deadline: 31 December of current year
2. Internal Control and Governance
• Regulatory Framework: The Governance Requirements, effective since January 2021, mandate robust internal control mechanisms for electronic
money and payment institutions.
• Bank of Lithuania's Observations: Institutions often establish internal controls reactively, upon receiving notices from the Bank of Lithuania or
during inspections, lacking tailored policies and procedures.
• Risk Management Strategy:
• Compliance involves approving a risk management strategy, delineating risk scope, limits, and internal procedures for risk identification, assessment,
monitoring, mitigation, and control .
• Quarterly risk map provision to the management and annual risk management report submission are mandatory.
• Recruitment Commitments: Institutions frequently fail to honor recruitment commitments made during licensing, especially concerning staffing
for management and control functions.
• Reliable Governance System: A dependable governance system entails appointing individuals for control functions after considering legal
requirements, institutional risks, and personnel competence.
• Best Practices Recommended by Bank of Lithuania: It's advisable for newly established institutions to have at least four key roles filled:
✓ Manager permanently residing in Lithuania
✓ Compliance officer
✓ Information security officer
✓ Anti-money laundering and counter-terrorist financing officer
• Staff numbers should align with Governance Requirements and increase accordingly over time.
• The compliance and information security functions should not be combined with internal audit to maintain efficiency and independence (the ICT
and Security Risk Management Requirements).
3. Notifications of Changes in Management and
Qualifying Holdings
• Regulatory Framework: The Republic of Lithuania Law on Electronic Money and Electronic Money
Institutions and the Republic of Lithuania Law on Payment Institutions outline requirements for
notifying the Bank of Lithuania regarding changes in management and acquisitions of qualifying
holdings.
• Appointment Approval: Newly appointed managers of electronic money and payment institutions
require approval from the Bank of Lithuania .
• Qualifying Holdings: Persons intending to acquire qualifying holdings in the authorized capital or
voting rights of electronic money or payment institutions must obtain the Bank of Lithuania's decision
without objection (Article 17 of the Republic of Lithuania Law on Electronic Money and Electronic
Money Institutions, Article 10 of the Republic of Lithuania Law on Payment Institutions, and Articles
24 and 25 of the Republic of Lithuania Law on Banks).
• Notification Requirements: Receiving a decision without objection from the Bank of Lithuania does
not signify the immediate appointment of new managers or acquisition of qualifying holdings.
Institutions must separately inform the Bank of Lithuania once new managers assume office or when
persons acquire holdings in the authorized capital or voting rights of the institution.
4. Requirements for the Protection of Client Funds
• Legislative Framework:
• The Republic of Lithuania Law on Electronic Money and Electronic Money Institutions and the Republic
of Lithuania Law on Payment Institutions establish measures to safeguard the property rights of
electronic money holders and users of payment services.
• Protection Objective:
• These measures are designed to ensure that in instances of financial difficulty or insolvency, electronic
money holders and payment service users are shielded from losses, safeguarding their funds from
being used to cover the institution's liabilities.
• Observations by the Bank of Lithuania:
• During routine assessments and inspections, the Bank of Lithuania has observed deficiencies in
ensuring adequate protection of electronic money holder and payment service user funds.
• Compliance Obligations:
• Institutions are reminded that their management bodies must approve internal documents outlining
procedures for fund protection and establish accounting and internal control protocols. These internal
documents must be adhered to consistently during licensed activities and periodically reviewed by the
institutions.
5. Requirements for the Protection of Client Funds
Assurance of Capital Requirements
• Regulatory Framework:
• The Rules for calculating initial capital and own funds of electronic money institutions and payment institutions, approved by
Resolution No 03-83 of the Board of the Bank of Lithuania, outline the standards for ensuring compliance with equity
requirements.
• Continuous Compliance Obligations:
• Institutions are mandated to maintain measures that guarantee continuous compliance with equity requirements, which are
fundamental prudential standards.
• Observations by the Bank of Lithuania:
• Quarterly supervisory reports indicate that some Institutions only ensure equity compliance after the reporting period, potentially
jeopardizing financial stability. The Bank of Lithuania emphasizes the importance of proactive compliance and learning from past
mistakes.
• Strategic Approach:
• Institutions' managers should proactively consider income, expenses, customer acquisition plans, and project performance to
ensure stable operations and meet equity requirements consistently. Merely meeting minimum equity thresholds is insufficient;
institutions should aim to build reserves to cover potential losses.
• Recommendations for Continuous Compliance:
• The Bank of Lithuania advises Institutions to designate a responsible employee to monitor equity data continually. This employee
would oversee compliance with equity requirements and ensure the implementation and updating of relevant procedures to
enforce continuous adherence
6.Drawing Up and Timely Submission of Reports
The Reporting Procedure (Resolution No 03-105) governs the creation of supervisory reports for
electronic money and payment institutions. Resolution No 03-261 outlines procedures for reports on
anti-money laundering and counter-terrorist financing measures.
 Data Accuracy Importance: Accurate financial and operational data is crucial for effective oversight,
risk assessment, and timely regulatory action. Timely reports safeguard users' property rights,
especially during challenges.
 Challenges and Expectations: Institutions face issues like late submissions and data inaccuracies.
Robust internal controls are vital, with the head of administration responsible for accurate report
submission.
 Compliance Obligations: Meeting deadlines for audited statements and reports, and complying with
risk management protocols, is essential for regulatory adherence and report accuracy.
 Risk Mitigation Recommendations: Institutions should implement Governance Requirements for risk
management, ensuring timely and accurate report submissions in line with legal and regulatory
expectations.
7.Outsourcing of Business Functions
• Regulatory Framework: The Outsourcing Rules, approved by Resolution No 03-166 of the Board of
the Bank of Lithuania, govern the outsourcing of business functions by financial market participants,
including electronic money and payment institutions. These rules came into effect on January 1, 2021.
• Management and Supervision: Institutions are obligated to ensure proper management, supervision,
monitoring, and control of outsourcing agreements. This involves establishing the position of an
administrator of outsourcing business functions and appointing an accountable employee directly to
the Institution’s body or a designated member thereof. Outsourcing must not result in the Institution
abdicating its responsibilities or becoming an empty shell.
• Register of Outsourcing Agreements: Institutions must maintain a register of outsourcing agreements
and electronically submit the data to the Bank of Lithuania upon request. This requirement aims to
enhance transparency and regulatory oversight over outsourced activities.
• Notification Requirements: Notably, Institutions are required to notify the Bank of Lithuania about
agreements concerning important business functions. Such notifications, along with draft
agreements, must be submitted at least one month before the scheduled conclusion of the
outsourcing agreement. This ensures regulatory awareness and allows for adequate assessment of
the outsourcing arrangement's impact on the Institution's operations.
8.Handling Customer Complaints
• Regulatory Framework: The Complaint Investigation Rules, adopted by Resolution
No 03-105 of the Board of the Bank of Lithuania, govern the investigation of
complaints received by financial market participants. These rules were recast and
have been in force since July 1, 2017.
• Compliance Requirements: Institutions must ensure that their process for
investigating customer complaints adheres to the requirements outlined in Article 90
of the Republic of Lithuania Law on Payments and the Complaint Investigation Rules.
• Complaint Investigation Policy: Institutions are obligated to have an approved
complaint investigation policy. This policy should outline the procedures for
investigating complaints and detail measures to implement and support their
efficiency. Compliance with these rules promotes transparency and accountability in
addressing customer concerns.
9. Money Laundering & Terrorist Financing Risk
Management
• Guidelines require integrating risk management into internal control systems.
• Clear roles & responsibilities are crucial for effective risk identification & mitigation.
• Separation of employee functions helps prevent conflicts of interest.
• All customers must be subject to risk management measures.
Improvement Measures:
• Ensure employees are adequately qualified and receive continuous training.
• Utilize resources provided by the Bank of Lithuania for compliance assistance.
• Plans for further guidance aim to enhance compliance culture.
Compliance Responsibilities:
• Institutions must adhere to licensing requirements and statutory obligations.
• Compliance is the institution's sole responsibility.
• No response to the communication is necessary.
Best Practices
 Stay Ahead of Compliance Requirements: Take a proactive approach to regulatory compliance by staying updated on changes and swiftly implementing them.

 Build Strong Internal Controls: Develop comprehensive internal control mechanisms covering governance, risk management, and procedures for risk identification and
monitoring.

 Assign Responsibility Wisely: Designate qualified individuals to oversee compliance functions such as risk management, AML/CTF regulations, and information security.

 Follow Staffing Guidelines: Adhere to staffing requirements, including roles like a compliance officer and an AML/CTF officer, adjusting as needed for business growth.

 Regular Risk Assessments: Conduct regular assessments of ICT and security risks, and money laundering and terrorist financing risks, taking steps to mitigate identified
risks.

 Submit Reports Promptly: Ensure timely submission of reports, including financial statements, by establishing effective internal control procedures.

 Protect Customer Funds: Establish procedures for protecting customer funds and regularly review and update them for transparency and accountability.

 Maintain Equity Compliance: Continuously monitor compliance with equity capital requirements and aim to maintain sufficient levels to cover potential losses.

 Handle Complaints Transparently: Develop a transparent process for investigating and resolving customer complaints in line with regulatory standards.

 Embrace Continuous Improvement: Foster a culture of ongoing monitoring and improvement to ensure sustained compliance with regulations. Regularly review internal
controls and compliance processes for enhancement.
Conclusion
In conclusion, the 'Dear CEO' letter from the Bank of Lithuania serves as a
comprehensive guide for financial institutions, outlining essential regulatory
requirements and expectations. It emphasizes the importance of robust compliance
measures, risk management protocols, and internal controls to ensure the integrity and
stability of financial markets. By adhering to the guidelines set forth in the letter,
institutions can enhance their regulatory compliance, mitigate operational risks, and
uphold the trust and confidence of stakeholders. It is imperative for CEOs and
responsible persons within institutions to carefully review and implement the
recommendations provided in the letter, fostering a culture of compliance and
continuous improvement. Together, with a proactive approach to regulatory
compliance, financial institutions can navigate challenges effectively and maintain their
integrity in the dynamic landscape of the financial industry.
Thank you.
 Should you have any questions, do not hesitate to reach out at
kate.Stasoulakou@gmail.com, Katerina Stasoulakou

Links to the relevant regulations:

 Bank of Lithuania presented its expectations to FinTech companies |
Bank of Lithuania (lb.lt)
 LB_CEO_letter_emoney_payment_institutions_20210514.pdf