Over the past 12 months, Lithuania has been a predominant leader in the fintech market in Europe. According to Findexable, Lithuania is the fourth-largest fintech hub globally. The country’s welcoming and diverse fintech community already includes more than 230 companies, including Curve, Mambu, Railsbank and Revolut, while during 2021 it is expected to add 100 new applicants according to the Bank of Lithuania.
The fact that 2020 has been an exceptional year for the Lithuanian fintech market is demonstrated by the high increase in both the number and activities of licensed fintech market participants, mainly due to the Bank of Lithuania and government-led initiatives, the booming digital finance market as a result of the COVID-19 outbreak, and Brexit.
Regarding the latter, Lithuania has been a priority gateway for UK fintech market participants while looking for the most attractive business shelf in Europe (eg, Curve, Fidelis Europe, DiPocket etc).
In terms of the COVID-19 outbreak, Lithuania’s fintech market has remained relatively resilient. The global pandemic has stimulated fintech activities in certain industries, while the digital payments sector has been booming. Based on Bank of Lithuania research, digital payment transactions executed by electronic money institutions (EMIs) and payment institutions (PIs) grew 1.6 times year on year to reach a total of EUR24.9 billion in Q3 2020. Another notable aspect is that financial market participants who have been granted licences within the past two years have managed to greatly increase their business volumes (bank link payments grew approximately 51%, while online payments by card increased by 125%). Another positive aspect is that payment services providers were able to adapt by ensuring the provision of services which had not previously been offered remotely, or introduced remote identification of new customers.
As everyone is aware of the Lithuanian regulator’s co-operative attitude, efficient authorisation process, innovative approach and payment infrastructure (CENTROlink), the Lithuanian government together with the Bank of Lithuania continue to significantly contribute to the fintech market. Specifically, a more favourable regulation was recently introduced, allowing new legal entities to open accumulative bank accounts not only in credit institutions, but also in EMIs. In addition, new legislation allowing remote identification with a driver’s licence contributes to this end as well. The fintech market in Lithuania is also looking forward to diving deep with the Bank of Lithuania’s ambitions relating to blockchain technologies and the Centre of Excellence in Anti-Money Laundering – an initiative which unites finance market players, regulators and the government, with a goal to further refining anti-money laundering and combating the financing of terrorism (AML/CFT) controls.
The predominant types of fintech businesses currently established in Lithuania are payment and remittance service providers. However, Lithuania has become an attractive centre for many other start-ups as well as financial software providers, challenger banks, digital bankers, online investment and P2P service providers, lenders, identity verification service providers, and insurtech and regtech companies.
There is no special regulation for fintech businesses in Lithuania. However, if a fintech company intends to provide financial services, it becomes subject to the supervision of the Bank of Lithuania and its obligations are established in separate laws setting the regulatory framework for particular financial services.
Specifically, the following are considered to be financial services that need authorisation from the Bank of Lithuania in order to offer their services to customers: receipt of deposits; consumer lending; payment and electronic money services; conclusion of transactions, at one’s own or a client’s expense; investment services; currency exchange; provision of services related to securities issues; management of investment funds; closed-end investment companies; pension funds or investment companies with variable capital; custody, accounting and management of financial instruments; crowd-funding; and peer-to-peer lending services.
Predominant Fintech Businesses
The predominant types of fintech businesses currently established in Lithuania that require authorisation from the Bank of Lithuania are listed below.
Electronic money institutions (EMIs)
In order to accept money from customers in the electronic domain and to hold it in payment accounts (e-wallets) for an indefinite period, issue electronic money (e-money) and then redeem it, it is necessary to be a licensed EMI, which is authorised to issue electronic money and provide payment services in Lithuania and other European Economic Area (EEA) countries. Depending on the business case and scope of issued licences, EMIs may be authorised to provide the following payment services:
Payment institutions (PIs)
Licensed PIs can also provide all the aforementioned payment services both in Lithuania and other EEA countries. The main difference between EMIs and PIs is that PIs are forbidden to withhold customer funds for longer than is technically and operationally necessary to provide agreed payment services, ie, PIs can only hold customers’ funds in payment accounts for a limited time.
Specialised banks are becoming more and more popular in Lithuania as they have only EUR1 million minimum equity capital requirement compared to the EUR5 million required by a full-service bank, and they are permitted to provide all the traditional banking services both in Lithuania and across the EEA, such as receipt of deposits, lending (including mortgage secured loans and consumer credits), payment services, etc. The main difference, in terms of services, between a specialised and full-service bank is that only the latter is permitted to provide investment-related services.
Insurance undertakings and insurance intermediaries
An insurance undertaking’s licence allows the undertaking to engage in insurance or reinsurance activities in Lithuania and across the EEA, whereby insurance intermediaries, such as insurance broker undertakings and insurance agents, are permitted to take up and pursue the distribution of insurance and reinsurance products both in Lithuania and other EEA countries. Note that insurance broker undertakings may distribute insurance and reinsurance products only upon being included in the public list of insurance broker undertakings administered by the Bank of Lithuania, while insurance agents may only distribute insurance products after registration with the insurer.
Consumer credit providers
Only those undertakings included in the public list of consumer credit providers administered by the Bank of Lithuania are allowed to provide credits in the form of a deferred payment, loan or other similar financial accommodation to a natural person who seeks to conclude or is concluding a credit agreement for personal, family or household purposes, and who is acting for purposes outside their business or profession (ie, a consumer). Note that a different legal framework applies to consumer credit providers, who provide credits secured by a mortgage, and to those whose credits are not secured by a mortgage. However, under the Lithuanian regulatory regime, all consumer credit providers are subject to, and must adhere to, a responsible lending principle and assess consumers’ creditworthiness before providing any credits. Note that there are no passporting rights in respect of consumer lending, except for banks, ie, these undertakings are only allowed to grant consumer credits to Lithuanian residents.
Crowdfunding platform operators
Upon being included in the public list of crowdfunding platform operators administered by the Bank of Lithuania, legal entities are permitted to administer and provide crowdfunding platform operator services (ie, provide access to the crowdfunding platform and provide other ancillary services) in Lithuania to funders and project owners. Note that from 10 November 2021, Regulation (EU) 2020/1503 on European crowdfunding service providers for business will come into force; therefore, from that moment such crowdfunding platform operators will have the right to offer their services across the EEA with a single authorisation.
Peer-to-peer (P2P) lending platform operators
Only those legal entities that are included in the public list of P2P lending platform operators administered by the Bank of Lithuania are permitted to provide access to their administered P2P lending platform in Lithuania for lenders and borrowers seeking financing. Note that a different legal framework applies to P2P lending platform operators administering a P2P lending platform where lending is secured by a mortgage, and for those P2P lending platform operators providing access to a P2P lending platform where lending is not secured by a mortgage.
Financial brokerage firms
A financial brokerage firm must be licensed in order to provide one or more investment services and/or engage in one or more types of investment activities in Lithuania. Licensed financial brokerage firms may passport their licence throughout the entire EEA.
Financial advisory companies
In order to provide financial advisory and other ancillary services in Lithuania, legal entities need to be licensed in Lithuania. Financial advisory companies do not have passporting rights.
There are different types of management company licences in Lithuania:
Note that only the latter two licences can be passported throughout the entire EEA.
In most cases, compensation models are not regulated by the applicable laws; however, specific fintech sectors are subject to specific rules regarding the compensation models they use, as explained below.
EMIs cannot apply any additional fee for the redemption of e-money (except in certain cases set forth in the applicable laws). EMIs are only allowed to charge for a payment service related to the redemption of e-money without which the e-money could not be redeemed, eg, credit transfer or cash withdrawal.
Consumer Credit Providers
The total cap of any and all costs for a consumer credit throughout the credit period cannot exceed 100% of the principal amount (this is the main and overall cap). This cap is divided into the following:
P2P lending platform operators
At least 50% of the remuneration paid by the lender and/or the borrower to the operator shall be calculated in proportion to the contributions reimbursed to the lender by the borrower.
The main requirement regarding the compensation model is to clearly define the fees of the service and how the fees are split in the agreement with the customer or other documents binding the parties (such as the prospect of the funds, etc).
The regulatory regime depends on business activities and applies equally to all financial industry participants. However, fintech-specific activities do not qualify as banking operations in most cases. As a result, fintech companies are subject to less stringent requirements:
On 15 October 2018, the Bank of Lithuania opened its regulatory sandbox which allows both potential and existing market participants to test financial innovations in a live environment under the guidance of the Bank of Lithuania. Participants may apply if they meet the following criteria:
It is important to note that the Bank of Lithuania also introduced the world’s first blockchain-based sandbox, developed by a financial market regulator, LBChain. This platform enables market participants to perform blockchain-oriented research, to test and adapt their blockchain-based services, and to offer innovations to their customers.
The Lithuanian legal framework establishes the co-supervision of financial market participants, where each of the regulators listed below has its own area of competencies.
The Bank of Lithuania
The Bank of Lithuania is the supervisory authority of all financial market participants established and licensed and/or authorised to provide financial services in Lithuania (except where the European Central Bank has direct authority over certain banks, as established in Regulation (EU) 1024/2013). The Bank of Lithuania not only grants authorisations and issues licences, but also continuously oversees financial market participants’ activities and their compliance with the prudential requirements established in the applicable legal regulations, by conducting planned and unplanned inspections, analysing the regular reports provided, etc. The Bank of Lithuania also acts as an out-of-court authority, dealing with disputes between consumers and financial market participants.
The State Data Protection Inspectorate
The State Data Protection Inspectorate supervises how financial market participants can ensure data protection and implementation of the General Data Protection Regulation (EU) 2016/679 (GDPR). The State Data Protection Inspectorate also assesses complaints received on improperly processed data.
The Financial Crime Investigation Service
Besides its overall responsibility to implement the national anti-money laundering system, the Financial Crime Investigation Service also analyses and investigates the reports submitted by financial institutions and other obliged entities on suspicious or unusual monetary operations and transactions, on the observed indications of possible money laundering and financing of terrorism (ML/FT) or violations, and provides mandatory guidance in respect of such reports.
Lithuanian legal acts set forth comprehensive requirements for the outsourcing procedure that need to be implemented by qualifying financial market participants.
Regulated functions should always be considered as significant (note that there are other functions that might be considered significant even if they are not regulated functions) and, therefore, the function can only be outsourced to a service provider that is authorised or registered, or otherwise allowed to perform the function.
Additionally, the company will not only have to perform a thorough due diligence and commercial assessment of the service provider, as it would in the case of outsourcing of other functions, but also perform a comprehensive risk assessment related to the outsourcing of the significant operational function.
Notably, the legal acts of Lithuania provide a full-scale list of provisions that must be reflected, for significant functions, in the outsourcing agreement, while for other functions, contractual provisions are optional as viewed appropriate. Besides other contractual requirements imposed on service providers under the agreement, the main obligations of service providers are to ensure:
It is mandatory to notify the Bank of Lithuania at least one month in advance of the planned conclusion of an outsourcing agreement on significant functions and to receive approval for such outsourcing.
Financial institutions play an important role as gatekeepers with a responsibility to report any ML/FT activities on their platforms. Accordingly, they could be held liable for any wrongdoing committed via their platform. In this context, it should be noted that virtual currency exchange operators and virtual currency depository wallet operators are also considered to be obliged entities under the Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania ("AML Law"), even though they are not financial institutions, which means that they also take on the role of gatekeeper.
In Lithuania, supervisory authorities can impose sanctions on financial institutions and other obliged entities in case of any infringements of the AML Law or other legal acts related to ML/FT prevention, including due to insufficient internal controls for ML/FT prevention, even if no actual ML/FT activity has been identified as taking place on their platform.
The Bank of Lithuania supervises the financial market participants and conducts scheduled and ad hoc inspections, including on-site examinations. Potential sanctions in case of breaches of financial services regulations include public announcement of breaches committed, warnings, pecuniary fines, restrictions on business activities, removal of the top management, and/or suspension or revocation of a licence.
While this does not occur frequently, the Bank of Lithuania tends to impose pecuniary fines where significant breaches are identified. In 2020, the largest fines in the fintech sector were imposed due to non-compliance with ML/FT prevention regulations. It is expected that the regulator will continue to closely monitor compliance in this area in the upcoming years.
The regulator’s approach towards newly licensed companies is more permissive. Together with other Lithuanian authorities, the Bank of Lithuania is a signatory party to the Declaration on the First Year of Business. This Declaration sets a common approach that where any breaches are identified during the first year of a company’s activities, the regulators should focus on remedying such breaches in consultation with the company, and sanctions should be used only as a last resort.
The following are the main non-financial services regulations. Note, however, that for regulated fintech businesses, these regulations are always applied in conjunction with specific financial services regulations.
Data Protection Regulations
The collection/use/transmission of personal data is regulated by the GDPR and the Law on Legal Protection of Personal Data of the Republic of Lithuania, and those legal acts are also applicable to fintech companies operating in Lithuania, as they often manage a large volume of personal information about their customers, and the breach of such data can have serious consequences.
The GDPR is applicable if data is collected, processed or used inside the EU, irrespective of the established location of the data controller or processor. The GDPR is also applicable if data is processed or used outside of the EU in order to offer services and goods to citizens within the EU.
The international transfer of data to jurisdictions outside the EU is permitted if the receiving jurisdiction itself applies appropriate data protection regulations.
Cybersecurity and Information Communication Technology (ICT) Regulations
The increased digitalisation of the financial sector and the growing interconnectedness across financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that could potentially compromise their viability. As a result, cybersecurity and ICT-related issues are becoming one of the top priorities both for EU and local legislators and supervisory authorities.
Lithuania transposed requirements of the Cyber Security Directive (EU) 2016/1148 into the Law on Cyber Security laying down the main cybersecurity principles and obligations that must be followed by digital, public electronic communication and other service providers.
Other cybersecurity and ICT-related requirements can be found in the GDPR or specific legal acts applicable to separate financial services providers.
For example, banks, PIs, EMIs and financial brokerage firms must comply with the extensive requirements established by the Bank of Lithuania in respect of ICT and security risks. Besides the other obligations in place, the aforementioned financial market participants should not only use a model of three effective lines of defence (internal management and control, risk management and internal audit) to manage ICT and security risks, but should also have detailed internal documents and procedures elaborating on the protection measures used to maintain the confidentiality, integrity and availability of the data and information of the company and its clients. It is also required that ICT and security risks should be assessed regularly.
Moreover, payment services providers, banks and credit unions are obliged to report to the Bank of Lithuania in the case of major incidents which might also be caused by cyber-attacks or other security-related events.
In general, irrespective of the type of business, advertising activities are regulated by the few legal acts of Lithuania: (i) the Law on Advertising, and (ii) the Law on the Prohibition of Unfair Business-to-Consumer Commercial Practices.
Additionally, in respect of financial services, all financial market participants should follow the Guidelines on Advertising Financial Services approved by the Bank of Lithuania. These guidelines address specific matters in terms of the advertising and distribution to be considered by financial market participants (eg, for material advertising, visual advertising, radio, television, interactive and other similar advertising).
Fintech businesses that provide services to consumers may have to comply with consumer protection requirements established in national or EU laws.
In Lithuania, all financial institutions are obliged to appoint an auditing firm for the audit of their financial statements. If a financial market participant does not qualify as a financial institution, the appointment of an auditing firm would be required where at least two of the following thresholds are exceeded on the last day of a financial year (applicable to limited liability companies): (i) the value of assets shown in the balance sheet exceeds EUR1,800,000; (ii) net sales revenue for the financial year exceeds EUR3,500,000; and (iii) the average annual number of employees for the financial year exceeds 50 employees.
Additionally, most regulated financial industry entities are required to ensure the performance of proper internal control and internal audit functions. In practice, fintech companies often engage with qualified third-party vendors to conduct an assessment of a certain area of the industry participant’s activity, such as: IT and information security, AML, etc.
Providing unregulated products and services in conjunction with regulated products and services is permitted by the legal acts regulating the activities of a specific financial market participant. Therefore, before deciding on its business activities, each regulated institution should carefully evaluate the applicable regulatory framework, as the Bank of Lithuania has discretion either to forbid such combination of services or demand that a separate entity for unregulated activities is established.
For example, EMIs and PIs are permitted to engage in activities other than those authorised under their license (eg, to provide IT-related services and solutions such as payment processing or payment gateway services, or even to provide postal services), while banks are only allowed to engage in those activities without which, it is impossible to provide financial services, and/or which support the provision of financial services.
Moreover, it should be emphasised that the official position of the Bank of Lithuania in respect of virtual assets has remained unchanged since 2017 – financial market participants should ensure separation of financial service activities from activities associated with virtual assets (ie, the purchase, storage or sale of virtual assets, the execution of transactions in virtual assets, virtual assets exchange activities, etc), as well as ensure appropriate and not misleading communication about the nature of the services they provide. Nevertheless, financial market participants are permitted to onboard customers engaged in activities associated with virtual assets and provide financial services to them, on condition that they are capable of managing ML/FT-associated risks.
Even though the common robo-adviser is supposed to be regulated by the Markets in Financial Instruments Directive (EU) 2014/65/EU (MiFID II), different asset classes might require different business models. For instance, provisioning of an insurance product may require an insurance undertaking’s licence or to be an authorised insurance broker undertaking. Therefore, it should be noted that each business model should be assessed individually, especially since some firms might find themselves in a regulatory “grey zone”.
In recent years, there have been only isolated cases on the use of robo-advisers. Considering the regulatory and supervisory environment in Lithuania, there is a niche for fintech players.
The law sets forth an obligation to ensure best execution of customer trades, whether through a robo-adviser or a broker dealer. In the case of the latter, a human bias factor might play a significant part, while automatisation can ensure mitigation of internal agency conflicts that normally arise, as robo-advisers’ fees are much more transparent, they do not themselves sell the same investments that they recommend, and full automation improves compliance and record-keeping.
The regulatory framework applicable to loans for individuals differs significantly from the one applicable to loans for small and medium-sized enterprises (SMEs) and large businesses.
Loans to Individuals
Individuals, who seek to conclude a credit agreement for personal, family or household purposes, will be considered as consumers, and lenders will have to comply with the strict requirements applicable to consumer lenders, such as:
P2P lending platform operators need to comply with all the requirements applicable to consumer credit providers as described above. In addition to the obligations towards consumer credit recipients, the P2P lending platforms also have obligations to the investors, ie, prior to concluding a consumer credit agreement, the operator must familiarise the investor with the risks assumed by the lender (such as, risks of the operator’s insolvency, the operator’s exit, conflict of interest, consumer credit recipient’s insolvency, default risk, and other risks).
Real estate loans
All the lending related to real estate, including mortgages, is regulated by separate laws, which are quite like the standard consumer lending regulations described above.
Loans to SMEs and Large Businesses
As regards loans for SMEs and large businesses, it should be noted that in most cases this is not a regulated activity in Lithuania, except for crowdfunding platform operators (both debt-based and equity-based crowdfunding platforms).
Crowdfunding platform operators
The relevant laws set forth specific requirements for crowdfunding platform operators, such as:
Industry participants are subject to AML/CFT and KYC requirements, so they must carry out proper customer due diligence measures in order to verify the identity of the customer and enter into a business relationship with the customer. Depending on the specific onboarding process chosen by the industry participant, certain rules might be applied to the identity verification process, such as video-conference onboarding.
In addition, consumer credit providers, P2P and crowdfunding platform operators are also obliged to carry out a customer creditworthiness assessment. The legal requirements of the creditworthiness assessment of the consumer are strict and dictate the specific rules that must be followed in the creditworthiness assessment process and the criteria that lenders ought to apply to decide whether a consumer is creditworthy. For example, lenders must gather information both from the consumer and external databases, and lenders must stick to the debt service-to-income ratio (DSTI) requirement, which may not exceed 40%, etc.
The source of funds used to grant a loan mostly depends on the nature of the lender, ie, whether it is a bank, P2P/crowdfunding platform or other type of lender.
In Lithuania, only banks and other credit institutions are entitled to provide loans from deposits received. P2P/crowdfunding platform operators usually act only as an intermediary between the parties concerned and loans are provided from the funds of third-party investors, such as individuals, businesses and/or even professional investors. However, it should also be taken into consideration that there are no laws prohibiting P2P/crowdfunding platform operators from participating and from granting loans from their own funds. Consumer credit providers should also grant loans from their own funds.
The syndication of loans is usually made by banks in Lithuania. There is no specific regulation in respect of this matter.
Payment processors are not obliged to use existing payment systems and can in principle create new private payment systems. However, considering the broad functionalities and advantages of existing payment systems developed and managed by the Bank of Lithuania (ie, CENTROlink and TARGET-2-LIETUVOS BANKAS), many fintech companies use them instead of looking for alternative solutions.
For example, CENTROlink is attractive for market participants as, via its infrastructure, the Bank of Lithuania provides technical access to the Single Euro Payment Area (SEPA) for all types of payment services providers licensed in the EEA – banks, credit unions, EMIs and PIs. Additionally, as participants in CENTROlink, payment services providers are assigned IBAN and SWIFT BIC codes and non-bank fintechs are able to make payments under equal terms to credit institutions.
Lithuania has transposed the harmonised requirements of the Second Payment Services Directive (EU) 2015/2366 (PSD2) into the Law on Payments of the Republic of Lithuania ("Law on Payments"), which means that the national legal framework in respect of cross-border payments and money remittances is the same as throughout the EU.
Generally speaking, cross-border payments and money remittances can be provided only by authorised payment services providers complying with the rules of conduct specified in the Law on Payments and EU regulations (eg, Regulation (EC) 924/2009 on charges for cross-border payments in euros and amending Regulation (EU) 2019/518 extending the requirements on charges for cross-border payments and currency conversion in non-euro countries, also Regulation (EU) 2015/847 on information accompanying transfers of funds, etc).
Additionally, international transfers outside the EEA can be processed by establishing correspondent banking relationships, agency relationships or by participating in global payment schemes like SWIFT.
Fund administrators (management companies) are regulated in Lithuania by European Union (EU) Directives 2009/65/EC (UCITS) and 2011/61/EU (AIFMD), which have been transposed into the national laws. There are three types of licences which might be applicable, depending on the management companies' activities. Specifically, the following laws provide requirements for management companies depending on their activities:
In order to ensure performance and accuracy, management transfer agreements contain clauses specified in the regulation, such as a management company's duty to:
In addition, under industry practice contractual terms of management transfer agreements also define:
In Lithuania, the regulatory regime establishes three different types of trading venues:
The regulation stems from the EU's legislative framework MiFID II, which is transposed into the Law on Markets in Financial Instruments of the Republic of Lithuania.
Only public limited liability companies may apply to the Bank of Lithuania for a regulated market licence and engage in the activities of a market operator based on such licence. Regulated market operators are subject to many regulatory requirements, including the need for a significant amount of initial capital, suitability of shareholders and top management, organisational requirements, etc.
MTFs and OTFs
Only category A financial brokerage firms or regulated market operators can operate OTFs and MTFs. Category A financial brokerage firms are subject to various regulatory requirements; however, they are less stringent than those for regulated market operators. If financial instruments are distributed through a licensed crowdfunding platform, its operator is subject to the same regulatory requirements as operators of MTFs.
Irrespective of the trading venue, orders for trading financial instruments can be executed by category A, B or D financial brokerage firms, as well as credit institutions licensed for such investment services.
In general, individual classes of financial instruments are subject to the same regulatory regime. However, slight differences may be relevant due to the specific nature of certain types of financial instruments and, therefore, each type of asset should be analysed on a case-by-case basis.
Also refer to 12 Blockchain where treatment of blockchain assets and virtual currencies are commented on in more detail.
This section should be read in conjunction with 2.12 Conjunction of Unregulated and Regulated Products and Services.
Activities related to virtual currencies are only partially regulated in Lithuania. The national AML Law obliges crypto-businesses, such as virtual currency exchange operators or virtual currency depository wallet operators, providing services in Lithuania to be established in Lithuania (EU and non-EU companies may establish affiliates) and subsequently, to implement AML/KYC procedures if registered with the Register of Legal Entities. Other requirements include customer identification and verification, reporting to the Lithuanian Financial Investigation Service, record keeping, designating an AML officer, implementing internal control policies and procedures, etc.
Proposal for a Regulation of the European Parliament and of the Council on Markets
It should be emphasised that today, virtual-asset issuers and service providers cannot fully reap the benefits of the internal EU market, due to a lack of both legal certainty about the regulatory treatment of virtual assets as well as the absence of a dedicated and coherent regulatory and supervisory regime at EU level. While Lithuania has already implemented a bespoke regime to cover some virtual-asset service providers or parts of their activity, in most EU countries such businesses operate outside any regulatory regime. These and other issues related to virtual assets were addressed by the European Commission in the final Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets submitted for ordinary legislative procedure at the end of September 2020. Considering this, it is very likely that in the future virtual currency-related activities will be regulated unanimously across the EEA (ie, licensing requirements, internal control and risk management requirements, etc).
Securities may be publicly offered and admitted to trading on a regulated market only after the issuer draws up and publishes a prospectus in accordance with applicable information requirements pursuant to the Prospectus Regulation (EU) 2017/1129 and the Law on Securities of the Republic of Lithuania ("Law on Securities"). It should be noted that there are exemptions from the requirement to prepare a prospectus established in the aforementioned legal acts.
Also see 12 Blockchain, where it is emphasised that in the case of an Initial Coin Offering (ICO), when the offered coins have features of securities, a prospectus, approved by the regulator, should be drawn up and they should be subject to other requirements of the national Law on Securities.
The rules for handling clients’ orders for the purchase or sale of financial instruments by financial brokerage firms are laid down in the Law on Markets in Financial Instruments of the Republic of Lithuania ("Law on Markets in Financial Instruments") which transposed the requirements of MiFID and MiFID II.
Financial brokerage firms must have in place an “orders execution policy” containing information on the execution venues of client orders (separately for each type of financial instrument), the reasons determining the choice of execution venue, and other necessary information specified in the dedicated resolution of the Bank of Lithuania.
Also see 7.7 Issues Relating to Best Execution of Customer Trades.
The rise of P2P trading platforms has not yet impacted the regulation of trading venues or AML/CFT regulations in Lithuania. However, it should be noted that, as opposed to virtual assets exchange operators, pure P2P virtual assets trading platforms would find themselves in a regulatory “grey zone” and would not qualify as obliged entities under the local AML Law. Accordingly, it is expected that amendments to legislation may be proposed once the number of peer-to-peer trading platforms increases.
The duty to act on the best execution of customer trades is established both in EU and national laws regulating securities trading activities. Best execution requirements are an important component of these investor protection standards, as they are designed to promote both market efficiency generally and the best possible execution results for investors individually, by considering such conditions as price, cost, speed, and other relevant information. On the other hand, if the customer submits a specific order to the financial brokerage firm, the best execution duty will only be fulfilled if such instruction is executed without deviating from the conditions provided in the order.
In Lithuania, brokerage firms that execute orders to trade must establish a detailed, separate “orders execution policy”, introduce such policy to the customers before executing any orders, and obtain their consent to the policy.
Moreover, breach of the best execution duty would be established if financial brokerage firms receive any renumeration, discount or non-monetary benefit for the transfer of customers' orders if this violates the requirements established in applicable legal acts for the provision or receipt of remuneration, commissions or other non-monetary benefits, or the obligation to avoid conflicts of interest.
The local Law on Markets in Financial Instruments in general does not prohibit payments for order, provided that these do not interfere with the financial broker's duty to act honestly, fairly and professionally, and under the best conditions for the customer and its interests. Moreover, strict rules should be followed by a financial brokerage firm upon receiving any remuneration discount or non-monetary benefit from third parties (ie, it is necessary to assess a conflict of interest according to internal procedure and notify the customer about such conflict of interest before executing a trading order so that the customer can decide whether such conflict of interest is acceptable or not).
As part of its work to make financial markets safer and more transparent, Market Abuse Regulation (EU) 596/2014 (MAR) is designed to improve confidence in the integrity of the EU markets, increase investor protection and encourage greater cross-border co-operation.
MAR is also part of the Lithuanian securities market's legal framework, directly applied in conjunction with the local Law on Markets in Financial Instruments and resolutions of the Bank of Lithuania.
Note that market abuse can take many different forms and a detailed description should be prepared in respect of each type of abuse. However, the following are the main general principles of market integrity to prevent market abuse:
There is no specific regulation for the creation of high-frequency and algorithmic trading technologies. These are governed by the local Law on Markets in Financial Instruments, which provides general legal requirements, obligations with respect to risk-control measures, business continuity measures, reporting obligations, etc. A high-frequency trading platform is also required to comply with certain record-keeping requirements.
Market makers functioning in a principal capacity are required to obtain a financial brokerage licence issued by the Bank of Lithuania. Specifically, this is required to seek a category A licence, for which the minimum capital requirement threshold is EUR730,000. Among other information required for an application for a licence for a financial brokerage firm, the following items are of the upmost importance:
In addition, the management of a financial brokerage company must qualify under the applicable legal requirements in terms of their qualifications, experience and/or education.
The regulations do not make a distinction between the funds and dealers that engage in these activities.
Programmers who develop and create trading algorithms and other electronic trading tools are not regulated per se (unless their activities include financial services provision). Programmers might have certain requirements for their production from an IT perspective. However, it should be noted that funds or dealers who outsource high-frequency and algorithmic trading tools must comply with the outsourcing requirements established by law.
Financial research platforms are not subject to any specific registration requirements in Lithuania. Provision of investment research, financial analysis and other forms of general recommendations relating to transactions in financial instruments qualifies as an ancillary service (to other investment services) in accordance with Section B of Annex 1 to MiFID II. The same rule is transposed into Article 3(45)(5) of the Law on Markets in Financial Instruments. Provision of this service without any other investment services would not trigger any licensing requirements. However, where a platform provides financial research services in addition to investment services, authorisation for a financial brokerage firm, credit institution or financial adviser company would be required.
Financial research platforms, whether licensed or not, may not disseminate or transmit any misleading or false information, as this could be qualified as unlawful market manipulation, regulated under MAR. In Lithuania, such behaviour could even lead to criminal sanctions laid down in Article 218 of the Criminal Code of the Republic of Lithuania ("Criminal Code"). The possibility of criminal liability in a case of market manipulation is established for both natural and legal persons.
There is no specific regulation pertaining to conversation curation on financial research platforms. However, it should be noted that market manipulation schemes and spreading of inside information are unlawful pursuant to MAR and the national Criminal Code. Accordingly, the platform should have the "notice and takedown" process in place, and should forward any information about the unlawful activities of third persons on the platform to law enforcement agencies.
Numerous underwriting processes are available to insurance industry participants and each comes with a different set of regulations.
Both insurtech and traditional insurance companies which create their own insurance products need to obtain an insurance undertaking’s licence from the Bank of Lithuania before commencing any insurance-related activities in Lithuania.
In practice, insurtechs most often act as insurance intermediaries distributing insurance products after they have been registered either with the Bank of Lithuania (in case of insurance brokerage firms) or with the insurers (in case of insurance agents).
Whichever distribution and operation structure they opt for, insurtechs need to comply with the rules of conduct specified in the Law on Insurance of the Republic of Lithuania, as well as resolutions of the Bank of Lithuania.
If the services are provided through online channels and/or provided to consumers, insurtechs, like any other financial market participant, must comply with the additional requirements established in national laws.
The national insurance legal framework makes a distinction between compulsory insurance (eg, insurance against civil liability in respect of the use of motor vehicles, professional liability insurance) and non-compulsory insurance, life and non-life insurance branches. Most insurers do not have the right to engage in both life and non-life insurance activity, save for the exceptions and expressis verbis cases permitted by law (eg, some of the insurers engaged in life insurance activities have the right to provide non-life insurance, although this is limited to accident insurance and sickness insurance classes).
It should be noted that there are general legal requirements for all insurance undertakings, irrespective of their activities (eg, precontractual obligations, conditions of insurance policies, requirements for distribution of insurance contracts, etc), and particular obligations which may vary depending on the aforementioned classification (eg, insurers authorised to provide life insurance are subject to AML/CFT requirements; the insurers distributing insurance-based investment products must comply with specific local and EU requirements established in respect of the scope of information to be presented to the customers, the customers’ suitability for insurance-based investment product assessment, avoidance of conflicts of interest, etc).
Regtech providers are not usually regulated, as most of their products/services offer technical support to ease the compliance or regulatory burden.
However, it is possible that specific regtech services or products might fall under regulatory requirements, and this should therefore be assessed on a case-by-case basis.
Where financial market participants intend to use regtech services in their activities, it should be noted that such services are considered as outsourcing of functions of financial market participants, which is subject to regulatory requirements established by law.
The relevant laws provide the applicable legal requirements for an agreement to be concluded by and between a financial market participant and an outsourcing service provider. For more detailed information on outsourcing requirements, refer to 2.7 Outsourcing of Regulated Functions, which provides a general overview of outsourcing requirements.
Moreover, the financial market participants are obliged to follow many other requirements established in legal acts and their internal documents dedicated to outsourcing, such as monitoring and control of outsourcing agreements, planning of business continuity, etc.
Last but not least, financial market participants should take into account that each financial institution remains responsible for its activities, including the services which are to be outsourced. Thus, they should allocate sufficient resources to maintain and ensure proper performance of the relevant responsibilities.
Traditional banks are becoming increasingly interested in blockchain and related technology.
SEB, one of the largest banks in Lithuania, has created its own part of an international blockchain trade finance platform; it set up its own production environment under Contour, a global blockchain-based platform for trade finance transactions, which went live in early October 2020.
The platform seeks to minimise the time consumed in processing transactions, ie, it can potentially reduce the amount of time needed to complete a transaction from an average of ten days to less than 24 hours. According to the bank, the new platform will replace the current paper-based process with a digital solution.
While the Bank of Lithuania has issued multiple warnings concerning the risks of crypto-assets and expressed its position that supervised financial market participants (ie, those who hold licences or permits to provide financial services) should not pursue activities or provide services related to virtual assets, the treatment of blockchain technology has been much more favourable.
The regulator considers the blockchain to be an advanced technological solution and a major innovation which will likely transform the financial industry. The Bank of Lithuania even launched LBChain – the world’s first blockchain-based sandbox developed by a financial supervisory authority. This platform will enable fintech companies to carry out blockchain-oriented research, to test and adapt blockchain-based services and to offer state-of-the-art innovations to their customers. The LBChain platform is currently being developed by service providers selected by the Bank of Lithuania.
First of all, it should be noted that blockchain assets are not considered to be a regulated financial instrument in Lithuania, and there is no official classification of blockchain assets. However, depending on the purpose of the asset, some specific regulation might be applied to the virtual currency exchange and virtual currency depository wallet service providers, as well as to the ICO.
Amendments to the national AML Law that came into force at the beginning of 2020 included virtual currency exchanges and virtual currency depository wallet service providers in the list of undertakings that are now subject to AML/CFT requirements, such as customer identification and verification, transaction monitoring and suspending, reporting to competent authorities and provision of information upon separate request, etc.
Moreover, these amendments impose specific obligations on ICO offerors as well, such as, identifying a customer in certain cases or providing information to authorised institutions.
As regards ICOs, when offered coins have features of securities, a prospectus, approved by the regulator, must be drawn up and they will be subject to other requirements of the national Law on Securities. Moreover, depending on the nature of the offering, statutory requirements for crowdfunding, collective investment, provision of investment services, the secondary market or the formation of a financial market participant’s capital would similarly be applied to an ICO.
As already described in 12.3 Classification of Blockchain Assets, these assets are not currently regulated under Lithuanian law. However, if the issued blockchain assets have features of securities, then a prospectus, approved by the regulator, should be drawn up and the assets should be subject to the other requirements of the Law on Securities.
As already described in 12.3 Classification of Blockchain Assets, virtual currency exchanges and virtual currency depository wallet service providers are subject to AML/CFT requirements, such as customer identification and verification, transaction monitoring and suspending, reporting to the competent authorities and provision of information upon separate request, etc.
There is no specific set of rules applying to funds that invest in blockchain assets in Lithuania. Undertakings for the Collective Investment in Transferable Securities (UCITS) funds will most likely not be allowed to invest in blockchain assets, since they may not be regarded as trusted transferable securities. However, there are no such limitations when it comes to Alternative Investment Funds (AIFs).
Since blockchain assets are not regulated in Lithuania, there is no official definition of the term.
However, the AML Law provides a virtual currency definition: virtual currency means an instrument with a digital value but without the status of a currency or money, which is not issued or guaranteed by a central bank or other public authority and which is not necessarily related to currency, but which is recognised by natural or legal persons as a medium of exchange that might be transferred, stored and sold by electronic means.
According to the Bank of Lithuania, virtual currency that can be used for settlement is one of the forms of blockchain assets.
There is no different treatment of virtual currencies and blockchain assets in Lithuania.
Decentralised finance ("DeFi") is not regulated in Lithuania and is not officially defined in the regulation.
Where DeFi provides virtual currency exchange and virtual currency depository wallet services and/or is involved in ICOs, such service providers might be subject to the regulation of the national AML Law and/or the Law on Securities, as noted in 12.3 Classification of Blockchain Assets.
Regulation of open banking in Lithuania is supported by PSD2 which was transposed into Lithuanian law in 2018, while the technical requirements deriving from PSD2 are implemented by secondary legislation.
The obligation to open an Application Programming Interface (API), according to the Regulated Technical Standards 2018/389 of 27 November 2017, came into force on 14 September 2019. Since this date, financial market participants have been obliged to provide a “dedicated interface” or API for provisioning customer data.
Open banking driven by the PSD2 is actively emerging in the Lithuanian fintech market, as it has opened a new field for financial services providers and third-party payment service providers (TPPs), and it has acted as an accelerator for legacy players to innovate their products and services. Specifically, new payment services, such as (i) account information service and (ii) payment initiation service, are actively being developed.
Even though the PSD2 and GDPR legislation was drafted during relatively the same period, many concerns and issues have arisen between these two regulations. As a result, European public authorities have issued guidelines on PSD2's interplay with the GDPR, which might play a significant role in this regard.
In general, concerns raised by open banking include various concerns related to data protection and security measures, while among other topics being raised by market participants, the question of liability is regarded as being of the utmost importance. This issue is partially covered by professional indemnity insurance.
In practice, supervisory authorities are paying increased attention to the security level in financial institutions' systems. Some of them are under the magnifying glass, as the recent public announcement by the State Data Protection Inspectorate of Lithuania about upcoming investigations, specifically of financial market participants, delivers a message to the market that data privacy and data security requirements must be ensured jointly with PSD2.
The outbreak of COVID-19 has had a significant impact on our society by imposing historically unseen limitations on freedom of movement and economic activities. However, over the past 12 months the fintech market has been able to break through the aforementioned limitations and provide much-needed assistance to various businesses. Fintech market participants coped successfully with the pandemic reality and responded with record-breaking statistics. In brief, the following were key to fintech market players’ success:
Hats off to fintech market participants who have managed to introduce remote client on-boarding procedures, provide full-capacity service online, and reorder their customer service flows within a very short time period.
Consequently, digital payment transactions executed by electronic money institutions (EMIs) and payment institutions (PIs) in Lithuania grew 1.6 times year-on-year to reach a total of EUR24.9 billion in Q3 2020, while their income during the first lockdown grew by a factor of 1.8.
That being said, it should be noted that some downfalls were inevitable, as legacy players refused to accept their clients at their branches, the delivery of new payment cards took longer than usual, and for some time it was not possible to order a mobile signature service. Potentially, public authorities should learn their lesson once COVID-19 is contained, as there are many areas where the fintech market can work for the good of society. Specifically, during the lockdown period, remote identification of natural persons highlighted some regulatory issues, especially for that part of society which does not have proper technical means. Furthermore, most public institutions should reassess their IT and payment solutions since their acquiring services are based on bank link or intermediary service providers which imply additional costs for individuals. During the lockdown, an increase in remote identification fraud cases was also discovered, requiring a review of relevant IT solutions.
AML Competence Centre
It is well known that the Bank of Lithuania devotes considerable attention to money-laundering and financing of terrorism risks (ML/FT). In pursuing a zero tolerance approach to violations of anti-money laundering and combating the financing of terrorism (AML/CFT) obligations, the Bank of Lithuania, in co-operation with the national Financial Crime Investigation Service, continuously improves and strengthens control measures to combat such illicit activities not only by tightening the AML/CFT legal framework under which increasingly strict requirements are imposed on obliged entities, but also by taking a proactive, high-level approach when supervising the financial services sector and its participants.
It is no coincidence that the Bank of Lithuania is considered to be one of the most modern and innovation-driven financial supervisory authorities in Europe. As of October 2020, the government of Lithuania gave the green light to the Centre of Excellence in Anti-Money Laundering (AML Competence Centre), a unique public-private co-operation project initiated and successfully developed by the Bank of Lithuania to strengthen the prevention of money laundering and the fight against the financing of terrorism.
The AML Competence Centre was established by the Ministry of Finance of the Republic of Lithuania, the Bank of Lithuania and the biggest commercial banks operating in Lithuania, and it will be open to other financial market participants as well. The AML Competence Centre will collaborate with the main public authorities such as the Financial Crime Investigation Service, the police department, the State Tax Inspectorate and the Prosecutor General’s Office. The launch of the AML Competence Centre is expected to take place in 2021.
The AML Competence Centre is set up to mobilise public and private efforts to combat ML/FT and to strengthen the legal framework. The entire project was built around the desire to better understand the expectations of persons responsible for preventing ML/FT and the difficulties they face, the need to address the risks related to modern technologies that are changing the financial sector, as well as aiming to develop and implement the best and most effective AML/CFT practices in Lithuania.
After its launch the AML Centre will become a channel for:
The European Common Market offers access to more than 500 million consumers, so it is no wonder that many fintech players wish to access the benefits of this market through which, with a single licence issued in one member state, a fintech business can freely operate in the whole of Europe.
Taking advantage of such benefit, many fintech businesses have been enabled to provide financial services across the whole of Europe from their one establishment in the UK.
However, the UK exit from the EU has cut off the UK fintech businesses’ access to the European Common Market, and the UK-EU Trade and Cooperation Agreement concluded at the end of 2020 did little to facilitate UK fintech businesses' access to the European market. Therefore, from 1 January 2021 all financial market participants licensed in the UK lost the right to offer services to European customers.
Therefore, UK-based financial market participants wishing to continue to provide financial services in Europe had to re-consider their strategy.
And this is where Lithuania came onstage.
Despite being small, Lithuania's ambition is to become one of the EU’s hottest destinations for fintech and, since 2016, it has been working hard to achieve this goal.
At the beginning of 2017, the Bank of Lithuania launched the Newcomer Programme, which is a one-stop shop for meetings and consultations with the Bank of Lithuania, handling receipt of information about the licensing process and consultations on launching a business or new product. The Bank of Lithuania together with the Ministry of Finance also put a lot of effort into ensuring that Lithuania’s regulatory landscape would be in line with technological progress: for example, it created the possibility to verify a customer’s identity remotely that was not commonly approved across Europe. Lithuania also offered one of the most streamlined and efficient licensing procedures in the EU – thanks to a well-calibrated process, it takes as little as three to six months to get a payment institution’s or an electronic money institution’s licence in Lithuania.
All these efforts paid off. Lithuania’s fintech sector has been growing rapidly since 2017 and the announcement of Brexit gave further impetus to Lithuania’s ambitions, since it put hundreds of fintech companies in search of a base on the Continent, allowing Lithuania to become one of the leading jurisdictions for the relocation of UK-based fintech businesses due to Brexit.
Curve, the UK-based electronic money institution, known for its payment card that aggregates multiple payment cards through its accompanying mobile app, chose Lithuania over the likes of Ireland, the Netherlands and Luxembourg as its base for post-Brexit operations in Europe.
On obtaining a licence from the Bank of Lithuania in late October 2020, Curve joined a list that already includes Revolut, Instarem, TransferGo, Contis, Railsbank and the many other fintech businesses enjoying Lithuania’s legal landscape.
Open banking driven by the PSD2 is one of the most long-awaited novelties in the finance market. An obligation derived from the PSD to open an “Application Programming Interface” (API), according to the Regulated Technical Standards 2018/389 of 27 November 2017, came into force on 14 September 2019. Since this date, financial market participants have been obliged to provide a “dedicated interface” or API for provisioning customer data.
Open banking appears to be one of the most debated topics in the banking and finance market today because it creates possibilities for so-called “third-party providers” (categorised as PISPs and AISPs) to receive access to the data on the payment service user’s payment account(s) maintained by the account servicing payment service provider (ASPSP), subject to such user’s explicit consent (XS2A Rule). ASPSPs (ie, banks) will be required to provide access to their clients’ data to third-party providers even in the absence of a contractual relationship between the bank handling the client’s accounts and the PISP or AISP. Communication between these payment service providers will be implemented via APIs.
Financial market innovations have triggered a demand for new regulations which reflect today’s actualities. Given the amount of personal financial information, which in fact might be considered as being of the most significant value nowadays, third-party providers are able to offer new value-added services in the payments market on the basis of the bank infrastructure.
It must be acknowledged that the market is still at the starting line of the open banking story, but the demand, interest and pace of change in the financial market should force its development shortly.
Finally, it is worth noting that even though PSD2 and open banking were intended to foster competition and reduce the gap between the traditional fintech market and credit institution participants, the latter are coping with the new regulations or PSD2/open banking challenges very well. Scandinavian banks in Lithuania are among the innovators who are successfully and constantly introducing features offered by open banking. Thus, it will be interesting to follow different models' and different opponents’ journey in the market. In any case, it is important to remember that, despite the competition between interested parties, the final beneficiary must be society, which finance ultimately serves.
Crowdfunding activity across the EU has evolved significantly in recent years and Lithuania is no exception. In fact, it was one of the first countries in the EU to introduce a modern and fully-fledged regulatory regime for crowdfunding platforms in 2016. The new regulations had a significant impact on small and medium-sized enterprises (SMEs) and especially on start-ups, which see crowdfunding as an easily accessible alternative to bank loans.
Fast-forward to the end of 2020, when Lithuania’s crowdfunding market grew further despite the COVID-19 pandemic. In fact, the Bank of Lithuania reported an increase in both the number of projects financed through the platforms and the amount of funding raised.
But things are about to improve even more in 2021. On 10 November 2021, a new EU regulation and an accompanying directive will become applicable in the EU, which will open the borders between the EU and EEA countries for crowdfunding platforms.
In brief, the new EU-level regulatory regime will apply to crowdfunding services provided to non-consumer project owners in an amount up to EUR5 million (calculated over a period of 12 months per project owner). Crowdfunding service providers will apply for authorisation to the national authority of the EU member state in which they are established. Such authorisation process should take around three to five months.
Locally authorised crowdfunding service providers will be able to provide cross-border crowdfunding services in the EU and EEA countries, subject to giving prior notification to the national authority as a single point of contact. In addition, the European Securities and Markets Authority (ESMA) will establish a publicly available register of all crowdfunding service providers.
The new regime will also establish protection measures for investors. Crowdfunding service providers will need to give their clients clear information about the potential financial risks of each project. For this purpose, the investors will be provided with a key investment information sheet on the crowdfunding project, drafted by the project owner or at the platform level.
Current differences between national rules on crowdfunding authorisation will be a thing of the past. But Lithuania will definitely remain one of the leaders in this industry, as an EU-entry point for fintech. As already mentioned, the Bank of Lithuania has been issuing authorisations for crowdfunding platform operators for several years already, and the authorisation process for operations in Lithuania currently takes only two to three months. Thus, it is expected that Lithuania will serve as an EU gateway for early birds, keen to start operating across the EU and EEA as soon as possible, by providing the possibility to convert their national authorisation into authorisation under the EU regulation, once it starts to apply.