Lithuania has become a significant hub for fintech innovation in Europe. With a conducive regulatory environment, supportive government initiatives and a growing talent pool, the country’s fintech sector continues to see notable growth. While the increase in the number of regulated fintech companies has slowed slightly, the focus has shifted towards sustainable expansion and greater maturity within the sector. According to the “Fintech Landscape in Lithuania 2023–24 Report” released by Invest Lithuania, the country now boasts over 270 fintech companies, employing around 7,400 individuals. The Fintech Strategy 2023–2028 adopted by the government of Lithuania emphasises quality, risk management and attracting high-value-added fintech leaders; this indicates a move away from solely rapid growth towards sustainability and sector resilience.

Lithuanian fintechs are increasingly specialising in specific niches, such as payments, regtech and financial solutions for SMEs. This leads to a greater depth of expertise and drives innovation. A growing number of fintech companies cater specifically to businesses, providing services such as payment infrastructure, open banking solutions and regulatory compliance tools.

Local Regulatory Developments

Lithuania’s regulatory developments are determined by broader EU trends. The main focus is the implementation of the EU’s Regulation on markets in crypto-assets (MiCA) and the EU’s Regulation on digital operational resilience for the financial sector (DORA) by developing implementing regulations and procedural rules.

EU Regulatory Developments

The implementation of EU-wide regulations such as MiCA and DORA are of paramount importance, setting new standards for crypto-asset regulation and strengthening cybersecurity and operational resilience requirements.

Cybersecurity and fraud prevention

Rising threats demand robust cybersecurity measures and fraud prevention strategies to protect user data and assets.

Sustainability focus

Fintech solutions that address environmental, social and governance (ESG) concerns are expected to receive increasing attention and investment, aligning with Lithuania’s commitment to a sustainable financial sector.

Role of Artificial Intelligence (AI) in Fintech

In Lithuania, many fintechs and even traditional financial institutions have begun integrating AI. There is a general trend towards automation of services and fully online operations in banking and finance. For example, some established market participants now offer robo-advisers as part of their investment services, providing algorithm-driven portfolio advice to clients. Others are using AI behind the scenes to automate internal processes related to loan underwriting, AML, sanctions and fraud screening as well as customer onboarding – which previously required significant manual effort. The aforementioned Fintech Strategy 2023–2028 also encourages development of AI solutions, even setting up innovation funds and financial stimulus for start-ups to foster AI, blockchain and robotic process automation projects.

While AI is becoming an almost essential tool for fintechs in order to stay competitive, as with all businesses they will have to take into account new EU regulations on AI and the prohibition of unethical AI systems as they are understood under the new AI Act.

Fintech Landscape

Lithuania’s fintech landscape mirrors broader global trends while maintaining its own distinct flavour. The sector’s growth has been particularly noticeable in the following fields.

Payments

The country boasts a competitive environment for payment solutions. Significant players include payment institutions, cross-border transfer companies, and providers of e-commerce and mobile wallet technologies. Continued growth in this area is expected, driven by factors such as Lithuania’s tech-savvy population and the legacy impact of Brexit, which has prompted some companies to relocate their EU operations to Lithuania.

Lending

Peer-to-peer lending platforms and online credit providers are gaining traction. In addition, Lithuania has experienced a boom of licensed crowdfunding service providers developing business models in the Baltics and preparing for EU-wide expansion.

Financial software

Lithuanian-developed solutions power both back-office operations and customer-facing applications. Companies are active in compliance (AML, KYC), accounting and risk management tools, as well as personal finance management and investment-related analytics platforms.

Emerging and Evolving Areas

Insurtech

While nascent compared to the sectors above, insurtech activity is increasing. Start-ups are experimenting with peer-to-peer coverage models, usage-based insurance and streamlined digital claims processes. The Bank of Lithuania’s regulatory sandbox provides key support for testing innovative insurance approaches.

Blockchain and crypto-assets

Lithuania attracts activity in cryptocurrency exchanges and custody services, particularly following updated regulations in this field. The Bank of Lithuania is actively engaged in the evolving conversation around DeFi and potential applications of tokenisation. However, the main challenge for such companies is licensing and compliance under MiCA.

Robo-advisory

Automated investment platforms are present in the Lithuanian market. However, regulatory scrutiny around client onboarding and risk profiling, as seen in other European jurisdictions, has impacted on this subsector.

Legacy players

Traditional Lithuanian banks are engaging with this fintech evolution through heavy investment in IT solutions and the transition from traditional face-to-face service provision of services to online communication.

In-house innovation

Dedicated internal teams are being built, focused on fintech innovation and developing solutions to compete directly with independent players.

Payments

Lithuania’s payment sector is primarily shaped by the Law on Payments, which transposes the EU’s Payment Services Directive 2 (PSD2) and Guidelines for the Provision of Payment Services issued by the Bank of Lithuania. Companies intending to act as payment initiation service providers (PISPs) or account information service providers (AISPs) must register with the Bank of Lithuania, with licensing requirements varying depending on the specific services offered. Overall, PSD2 provides a robust EU-wide framework, while Lithuanian guidance ensures clarity in practical implementation.

Crypto-Assets

MiCA will significantly impact on Lithuania’s crypto landscape. MiCA harmonises licensing and oversight across the EU, and the Bank of Lithuania is the key supervisor for MiCA compliance within Lithuania. It is important to consider how MiCA will define different categories of crypto-asset service providers, and whether specific national-level regulations might emerge on use cases not fully addressed by MiCA.

Trading and Investment Activities

The Law on Markets in Financial Instruments implementing the EU’s Directive on Markets in Financial Instruments (MiFID II), together with the EU’s Regulation on Markets in Financial Instruments (MiFIR), serves as the cornerstone of Lithuania’s regulatory framework for trading and investment activities. Investment firms, brokers, robo-advisers and trading platforms all fall under this regulatory umbrella. The specific licensing and compliance obligations depend heavily on the exact services provided. MiFID II/MiFIR provide a robust foundation at the EU level, making the accurate classification of business models essential for determining the applicable rules.

Insurtech

The Law on Insurance outlines the framework for insurance activities in Lithuania. Even innovative Insurtech models must adhere to licensing, capital and consumer protection requirements. The Bank of Lithuania’s regulatory sandbox provides a space for testing new insurtech products under supervision. Potential friction points can arise when insurance law does not perfectly align with cutting-edge insurtech concepts, making the sandbox a valuable tool.

Crowdfunding

The EU’s Regulation on European crowdfunding service providers for business (the “Crowdfunding Regulation”) takes precedence, superseding previous national Lithuanian law. There is limited room for national discrepancy in this area, ensuring a streamlined process. Crowdfunding platforms must obtain a licence under this Regulation and are overseen by the Bank of Lithuania for operating across the EU. Before being licensed under the Crowdfunding Regulation, crowdfunding service providers were supervised and licensed under national rules; relicensing under the Crowdfunding Regulation has thus had a significant impact on such business models.

Consumer Lending

Consumer lending is governed by the Law on Consumer Credit and the Law on Real Estate-Related Credit. Both laws implement different EU rules on consumer lending, namely the EU’s Directive on credit agreements for consumers (the “Consumer Credit Directive”) and the EU’s Directive on Credit Agreements for Consumers Relating to Residential Immovable Property. Peer-to-peer platforms are supervised and licensed by the Bank of Lithuania and are covered by specific provisions in the above-mentioned laws; they are heavily impacted by general contract law, consumer protection provisions and the Bank of Lithuania’s guidance on risk management. An upcoming deadline for implementing amendments to the Consumer Credit Directive will bring additional harmonisation and further affect areas such as the burgeoning “Buy Now Pay Later” sector.

General AML and Cybersecurity Framework

Lithuania has strict AML/CTF laws with robust supervision that align with EU best practices, placing a strong emphasis on customer due diligence, transaction monitoring and reporting. National legislation generally follows the EU’s Directive on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD).

There is no single dedicated law when it comes to cybersecurity; however, fintechs operate under a combination of Bank of Lithuania guidance and EU Regulations, such as the EU’s Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) (data protection) and DORA (operational resilience). The national cybersecurity framework set out by the Law on Cybersecurity and implementing Directive on measures for a high common level of cybersecurity across the Union (NIS2) may be relevant.

Compensation models within the Lithuanian fintech landscape operate under a mix of EU-level Directives and national implementation. While contracts between fintech firms and their clients form the basis for fee structures, consumer protection regulations play a significant role in B2C segments. Fintechs dealing with consumers face stricter limits on the fees they can charge and are subject to more extensive disclosure requirements, inspired by EU Directives such as PSD2 and the EU’s Directive on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features (PAD). Compensation models might include per-transaction fees (fixed or percentage-based), periodic subscription fees or hybrid models. B2B agreements often have greater leeway in fee structures for consumer-facing services.

Regardless of the customer type, Lithuanian law emphasises fee disclosure. Fintechs are obligated to provide pre-contractual information that clearly outlines pricing. The specific format and detail of this disclosure depend on whether the client is a consumer or a business, mirroring the consumer protection focus of EU law. In certain areas, standardised Fee Information Documents might be required to aid consumers in comparing different service providers.

Sector-specific regulations can introduce further restrictions or disclosure requirements. Fintechs involved in lending, investment services or insurance need to pay close attention to rules governing those sectors. Additionally, merchants may face limitations on surcharging (adding fees for certain payment methods), especially concerning card-based transactions regulated under the EU’s Regulation on interchange fees for card-based payment transactions (IFR).

Lithuania embraces a “technology-neutral” approach in its financial regulatory framework. This means that fintech companies offering services that align with existing financial regulations are generally subject to the same rules as traditional legacy players.

Nonetheless, in practice, fintechs may initially qualify for lighter licenses (eg, for a payment institution or electronic money institution) based on their focused service offerings. These licences have less stringent requirements than full-fledged banking licences, easing the regulatory burden while enabling fintechs to launch their services.

Lithuania offers a regulatory sandbox supervised by the Bank of Lithuania. This sandbox acts as a real-world testing environment where new and existing fintech companies can present innovative financial products and services to consumers. The Bank of Lithuania provides guidance and closely monitors these tests to assess risk and viability. Fintech companies demonstrating successful innovation within the sandbox may then transition to operating under normal conditions within the Lithuanian market, subject to obtaining any required licences.

The regulatory sandbox is open to fintech companies offering innovative products or services, especially those challenging existing regulatory frameworks or requiring refinement before wider launch. Additionally, the LBChain platform allows businesses exploring blockchain-based services to gain knowledge, conduct research and potentially test new products under the regulator’s guidance.

The Bank of Lithuania has an application process for the regulatory sandbox, with specific evaluation criteria. The degree of supervision within the sandbox depends on the innovation’s nature and potential risks. Ultimately, even successful sandbox participation does not guarantee automatic licensing; companies must still adhere to standard regulatory requirements for their chosen business activities.

Lithuania’s financial regulatory landscape features the Bank of Lithuania as a main regulator supervising all licensed financial service providers. It holds broad authority for licensing and overseeing various financial institutions, including credit institutions, payment institutions, electronic money institutions, insurance companies, investment firms and CASPs. Additionally, the board of the Bank of Lithuania establishes regulations that dictate the operations and conduct of these financial market participants.

In addition to the Bank of Lithuania, there are a number of area-specific regulators and supervisors.

The Financial Crime Investigation Service (FCIS) serves as the central agency dedicated to anti-money laundering (AML), combating the financing of terrorism (CTF) and international sanctions compliance in the financial sector. It plays a crucial role in developing and implementing national AML/CTF policies, establishing preventative measures and conducting pretrial investigations into suspected cases of money laundering and terrorism financing.

In certain scenarios, the regulatory oversight of a financial institution might involve both the Bank of Lithuania and the FCIS. For instance, compliance with AML/CTF reporting falls under the FCIS’s purview but is also a fundamental aspect of the Bank of Lithuania’s wider supervisory role. The two authorities frequently collaborate in areas where their responsibilities overlap, ensuring a comprehensive regulatory and enforcement framework.

There are a number of non-financial sector-specific institutions that may regulate or supervise various aspects of financial service providers, such as the State Data Protection Inspectorate (which supervises compliance with personal data processing requirements) and the Competition Council (which supervises compliance with competition law).

While the Bank of Lithuania maintains an open and collaborative approach, actively consulting with financial market participants to help ensure compliance with licensing requirements, the regulator emphasises that it does not have the authority to provide legally binding interpretations on regulations that may be broad or open-ended. Consequently, the Bank of Lithuania lacks the formal mandate to issue “no-action” letters. Instead, the jurisdiction demonstrates regulatory flexibility through alternative mechanisms, such as the regulatory sandbox programme or leniency provisions for newly established businesses.

In 2024, the Lithuanian Parliament introduced a new administrative agreement mechanism. Under this framework, the Bank of Lithuania and a supervised entity may enter into an agreement to amicably resolve situations where grounds exist for administrative investigations. This mechanism:

• ensures a swift resolution of investigations into potential misconduct;
• promotes proactive co-operation from financial market participants; and
• facilitates the correction of compliance issues through collaboration between the Bank of Lithuania and supervised entities.

Lithuanian regulations permit the outsourcing of regulated functions to external service providers, ensuring flexibility for fintechs and financial institutions. These arrangements must adhere to strict obligations designed to maintain compliance and manage risk. Importantly, Lithuania’s outsourcing requirements generally align with EU legislation and relevant guidelines from the European Supervisory Authorities (ESMA and EBA). DORA is also directly applicable to ICT-related outsourcing. Fintechs retain ultimate responsibility for outsourced functions, ensuring adherence to all applicable regulations, even when working with third-party service providers. In addition, overtly extensive outsourcing could be considered a feature of an “empty shell” and draw the attention of supervisors.

Before outsourcing, fintechs must conduct thorough due diligence on the chosen service provider’s capabilities, experience and resources. Continuous oversight and monitoring of outsourced activities are essential, including the appointment of a designated individual within the fintech to oversee the arrangement and track performance against agreed-upon service levels (SLAs). Outsourcing of critical functions, such as internal control, compliance and AML, may necessitate notification to or pre-approval by the Bank of Lithuania. Outsourcing agreements must always be formalised in written contracts that clearly outline:

• inspection rights;
• performance metrics (KPIs);
• consequences in the case of breaches; and
• termination provisions.

With the application of DORA from 17 January 2025, additional robust requirements apply to IT outsourcing. As there is no grandfathering clause for existing contracts, adjusting IT contracts is a focus area for financial service providers.

In certain cases, Lithuanian regulations mandate the outsourcing of specific functions solely to other regulated entities. This is particularly common in areas such as asset management, where sensitivity might require that all parties be subject to direct regulatory oversight. Additionally, there are instances where functions cannot be outsourced at all; for example, the internal audit function of a bank must be performed in-house and cannot be delegated to an external service provider.

In Lithuania, whether a fintech provider is deemed a “gatekeeper” is determined based on its specific activities and services. Fintechs offering regulated financial services directly (eg, lending) bear primary responsibility for regulatory compliance, including within AML/CTF and sanctions compliance frameworks. Fintechs involved in activities with AML/CTF implications must implement know-your-customer (KYC) procedures, monitor transactions and report suspicious activities to the FCIS. An additional trend is the increased focus on fraud prevention through provided services.

The past 12 months have shown a continued emphasis on AML compliance and consumer protection within Lithuanian fintech enforcement actions. Regulators – primarily the Bank of Lithuania – are actively supervising the sector.

Both payment institutions and electronic money institutions have received substantial fines or limitations of activity for insufficient customer due diligence, transaction-monitoring weaknesses and failures to report suspicious activity. Fintechs offering services related to crypto-assets are being closely scrutinised for compliance with AML/CTF obligations.

Regulators have taken action against fintechs in various areas, demonstrating the importance of clear disclosures, responsible practices and consumer rights protection.

Investigations into peer-to-peer lenders have focused on appropriate creditworthiness assessments and clear communication of terms and fees.

Companies offering payment or investment solutions have faced penalties for providing insufficient or potentially misleading marketing information to consumers.

Fintech companies in Lithuania must carefully consider the impact of several key non-financial regulations, particularly those focused on data protection and cybersecurity.

Personal Data

The GDPR is central to Lithuania’s data protection framework. Fintechs handling significant amounts of personal and financial data must adhere to its strict obligations regarding data collection, processing, storage and breach notification. These obligations mirror those of legacy financial institutions, with an emphasis on user consent and transparency.

Operational Resilience

DORA is an EU-level regulation with a significant impact. It introduces formalised requirements around ICT risk management, incident reporting and testing. The guidance from the Bank of Lithuania mainly aligns with DORA’s principles, but fintechs should anticipate a need to further enhance their processes.

Network and Information Security

Lithuania has implemented NIS2, establishing cybersecurity standards for critical sectors, including finance. Fintechs should carefully assess whether they fall under the scope of NIS2, necessitating compliance with its incident response, security and reporting requirements.

External auditors play a crucial role, as mandated by law for most financial institutions. Auditors assess financial statements, internal controls and regulatory compliance.

Accounting firms offer a broader range of services, including tax compliance, bookkeeping and financial advisory, helping fintechs navigate the regulatory landscape. Technology vendors providing critical software solutions may impose their own due diligence and security requirements that fintechs must satisfy. Additionally, potential investors and business partners often closely scrutinise fintech operations, focusing on financial controls, risk management and regulatory compliance.

While specific audits, tax compliance and certain vendor contract terms may be legally mandated, industry standards are equally important for fintechs. Certifications, while not strictly required in the majority of cases, demonstrate best practices and can benefit a fintech’s reputation.

Lithuanian fintechs may offer a mix of regulated and unregulated products or services. Generally, offerings deemed directly connected to the core regulated activities can be included within the same legal entity, simplifying operations for ancillary features or closely related innovations. For offerings with potential for increased financial or operational risk that could adversely affect the regulated business, the Bank of Lithuania may require the regulated fintech to establish a separate legal entity. This aims to protect the core regulated activities and ensure effective regulatory oversight.

Additional requirements may apply depending on the specific type of financial institution. For example, banks, beyond providing financial services, can only engage in activities essential for enabling financial services or those directly related to their core function. This ensures that banks maintain their focus and limit activities that jeopardise financial stability or regulatory compliance.

AML/CFT and sanctions compliance are critical considerations for Lithuanian fintechs, with the level of obligations varying based on their specific activities.

Fintechs classified as “obliged entities” within the AML/CFT framework (eg, payment institutions, e-money institutions, providers of crypto-asset services, factoring service providers) face extensive requirements. This includes robust KYC procedures, transaction monitoring, suspicious activity reporting and strict sanctions-screening systems. These obligations mirror those of traditional financial institutions. This situation has resulted in the creation of various AML/CFT compliance-related regtechs such as Amlyze (AML/CFT compliance tools) or iDenfy (remote identification).

The current geopolitical context has elevated the scrutiny of sanctions compliance. Lithuanian fintechs must implement appropriate screening tools and internal controls to mitigate the risk of facilitating illicit activities or violating sanctions. The Bank of Lithuania and the FCIS have recently issued specific sanctions compliance guidelines, which fintechs should thoroughly review alongside EU sanctions regulations.

Lithuania has a developed AML/CFT framework that largely adheres to Financial Action Task Force (FATF) standards. As an EU member state, Lithuania implements the EU’s AML Directive and undergoes regular evaluations by the Council of Europe’s MONEYVAL to assess compliance with FATF’s 40 Recommendations. The latest enhanced follow-up review indicates that Lithuania is compliant or largely compliant with the vast majority of FATF Recommendations, with only a few areas (notably those concerning certain targeted sanctions and the supervision of designated non-financial businesses) still rated as partially compliant. In general, Lithuania is going in the right direction in terms of full compliance with the recommendations.

Rules governing reverse solicitation originate at the EU level, primarily under MiFID II and MiCA. The main requirement is that the client must engage the financial institution operating from a different jurisdiction entirely on the client’s own exclusive initiative. Importantly, such client-initiated contact does not grant the third-country financial institution any right to actively market additional financial products or services to that client. European supervisory bodies emphasise that the concept of reverse solicitation should be interpreted narrowly, underscoring the importance of consumer protection and maintaining transparency and stability within financial markets.

Generally, there is no distinction based on whether investment services are provided by humans or through automated or semi-automated systems (robo-advisers). The same licensing requirements apply, although certain additional obligations must be observed, for example under ESMA Guidelines relating to MiFID II suitability requirements.

Different business models for robo-advisers may be required, depending on the specific nature of services and the asset classes involved. Typical robo-advisory services related to financial instruments include investment advice and  portfolio management. Commonly, robo-advisers focus on exchange-traded funds (ETFs); however, they may also provide services involving digital assets such as security tokens.

Lithuania fully aligns with the EU regulatory framework without serious national deviations. Some of the regulatory requirements applicable to robo-advisers depend on the classification of the asset:

• if classified as a security token under MiFID II, standard financial instrument regulations apply; and
• if classified as a crypto-asset, MiCA requirements will be relevant.

Following the entry into force of MiCA, providing investment advice or portfolio management related to crypto-assets will require either a MiCA licence or authorisation as another regulated institution specified in MiCA (eg, a credit institution or investment firm).

There is a general trend by financial institutions towards automation of services and a transition to purely online services. Some market participants offer robo-advisers as a separate investment service (eg, SEB), while others automate internal processes.

Generally, the same requirements for best execution are applicable for robo-advisers as for employees of investment service providers.

Requirements may vary depending on the role of a financial institution (eg, whether lending of own funds or merely acting as an administrative intermediary between lenders and borrowers) and the type of borrower.

National regulations transpose consumer protection-oriented directives, namely the EU’s Consumer Credit Directive and the EU’s Mortgage Credit Directive. Lending to consumers is not only in line with the EU Directives but also provides for many additional safeguards and requirements, including soft law instruments. Peer-to-peer lending also falls within the same framework of consumer credits and mortgage credits, and the obligation to ensure compliance is vested in peer-to-peer lending platform operators.

Regulations on lending to businesses and entrepreneurs are more liberal. Generally, lending to non-consumers is a non-licenced activity. However, the activities of crowdfunding service providers require a separate licence.

Irrespective of the recipients of the loan, the majority of, or all of, the underwriting process is completed remotely, and includes submission of a credit application, assessment of creditworthiness, conclusion of a funding agreement and even creation of a security instrument (eg, mortgage or pledge). Various IT solutions are used to ensure regulatory compliance and risk management, including remote identification and qualified electronic signature.

Despite the emerging importance of peer-to-peer lending and crowdfunding, the main source of funds remains traditional credit institutions funded by deposits and group companies. An additional trend of borrowing by issuing bonds has emerged; however, recent defaults and increased yields could disincentivise further development of this sector.

Syndication is typically used for loans exceeding the risk appetite of a specific bank or due to regulatory considerations such as the impact on capital adequacy requirements. Both syndications within the lender’s group and among lenders from different groups are common practices. Typically, lending by a few lenders of the same group involves cross-border provision of services. In addition to a more complicated negotiation process, some lenders are dissuaded from participating in loan syndications due to competition law concerns.

Payment service providers may use existing payment infrastructures – including correspondent banking, card schemes, SEPA, SWIFT – and may also implement new ones. However, additional requirements may be applicable to new payment rails, such as licensing, non-discriminatory access and operational resilience.

As Lithuania is a member of the Single Euro Payments Area (SEPA), customers can make cashless euro payments – via credit transfer and direct debit – to anywhere in the EU (as well as to a number of non-EU countries) in a fast, safe and efficient way, just like national payments.

The same regulatory framework is applicable for payments within Lithuania, namely the Law on Payment implementing PSD2 as well as specific cross-border EU Regulations (ie, the EU’s Regulation on cross-border payments in the Union).

Regulations are focused on elimination of cross-border barriers within the European Economic Area (EEA) as well as enhanced consumer protection.

The Law on Markets in Financial Instruments implementing MiFID II provides for three types of permissible trading platforms for trade in financial instruments:

• regulated markets;
• multilateral trading facilities (MTFs); and
• organised trading facilities (OTFs).

A regulated market is a multilateral system operated and/or managed by a licensed market operator, which brings together or facilitates the bringing together of multiple third-party buying and selling interests in financial instruments – in the system and in accordance with its non-discretionary rules – in a way that results in a contract, in respect of the financial instruments admitted to trading under its rules and/or systems, and which is authorised and functions regularly. Presently, there is only one regulated market operator licensed in Lithuania – AB Nasdaq Vilnius.

The MTF is a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments – in the system and in accordance with non-discretionary rules – in a way that results in a contract. The main MTF acting in Lithuania is First North.

An OTF means a multilateral system that is not a regulated market or an MTF, and in which multiple third-party buying and selling interests in bonds, structured finance products, emission allowances or derivatives are able to interact in the system in a way that results in a contract. There are no licensed OTF operators in Lithuania.

Following the entry into force of MiCA, the operation of a trading platform for crypto-assets is considered a crypto-asset service requiring a licence under MiCA.

For platforms trading in financial instruments – including crypto-assets that are financial instruments – generally the same regulatory regime is applicable; however, there are certain differences depending on the type of platform (regulated market, MTF, OTF).

Types of financial instruments that may be listed in OTFs are limited to bonds, structured finance products, emission allowances or derivatives.

MiCA is applicable for crypto-assets that are not considered financial instruments, and operation of a trading platform requires a licence under MiCA.

The long-standing position of the Bank of Lithuania (applicable until the implementation of MiCA) was that licensed financial service providers (including operators of regulated markets and investment firms) should not be involved in crypto-asset-related activities; thus, crypto-assets were not traded in regulated markets, MTFs or OTFs. However, in practice, some methods of co-operation with CASPs existed to facilitate the needs of clients to invest in crypto-assets. Following MiCA, the Bank of Lithuania should be more flexible; however, the exact scope of tolerance for combining CASPs and other financial services is yet to be seen.

Until the implementation of MiCA, trading in crypto-assets did not fall under financial service regulations (generally, with the exception of AML/CFT compliance). The relative ease of obtaining CASP registration under the national regime (prior to the implementation of MiCA) made Lithuania a key hub for CASPs in the EU. Lithuania has chosen an extremely short transitional period for provision of CASP services without the MiCA licence, which will expire on 1 June 2025.

The Law on Markets in Financial Instruments requires that rules for admission to regulated markets be clear and transparent. Such rules are subject to prior approval by the Bank of Lithuania. Presently, the only operator of a regulated market established in Lithuania is AB Nasdaq Vilnius, and listing standards are published on its website. Listing standards typically set a number of requirements based on the Law on Markets in Financial Instruments (eg, to ensure that any financial instruments admitted to trading on a regulated market are capable of being traded in a fair, orderly and efficient manner and, in the case of transferable securities, are freely negotiable); however, some provisions are more market-specific (eg, to be listed in the main list, there should be a free float of at least 25% of shares or shares with a market value of at least EUR10 million).

Trading in MTFs and OTFs also necessitates meeting certain requirements, which are less strict than the requirements for admission to the regulated market.

Order handling rules depend on the type of service and trading platform, and the main requirements are set in the Law on Markets in Financial Instruments.

Investment service providers must provide services in the best interest of the clients. When executing orders, the best possible result for their clients is attained by taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. In addition, an execution policy must be adopted.

Law on Markets in Financial Instruments requires that order handling rules ensure fair, transparent and efficient trading, as well as contain detailed provisions on trading procedures, settlement rules and dispute resolution mechanisms.

The investment firms and regulated market operators that administer MTFs or OTFs must approve and apply transparent rules and procedures that ensure fair and orderly trading, and must establish objective criteria for efficient order execution. Specific requirements for the prevention of conflict of interest are applicable. With respect to MTFs, such rules must be non-discretionary.

Crowdfunding platforms are subject to licensing and regulation under the Crowdfunding Regulation. The crowdfunding market is well developed in Lithuania and the introduction of EU licensing under the Crowdfunding Regulation has not changed this situation.

Prior to the introduction of the Crowdfunding Regulation, a “secondary market” for crowdfunding projects was widely used (though, typically, for loan-based crowdfunding). However, after the implementation of the Crowdfunding Regulation, the “secondary market” functionality was either changed to a “bulletin board” (ie, a place where each party may provide notes on intention to sell/purchase investment without automatic execution rules) or fell within the framework of the Law on Markets in Financial Instruments.

The main challenges are transparent pricing and robust risk assessment of the proposed projects for financing. As crowdfunding has attracted a significant portion of high-risk borrowers and some of the loans are non-performing, it is likely that limitations of liability of crowdfunding platform operators will be tested in courts.

Peer-to-peer lending platforms (both for consumer credits and mortgage credits) are regulated and licensed under national regimes.

Peer-to-peer lending is specifically regulated under:

• the Law on Consumer Credit – lending to natural persons for consumption purposes; and
• the Law on Real Estate-Related Credit – lending to natural persons where the obligations are secured by a right related to immovable property (mortgage on immovable property, etc).

The laws regulate the activities of peer-to-peer lending platform operators and the procedure for inclusion in the public list of peer-to-peer lending platform operators.

Creditworthiness of the borrower must be assessed and the principles of responsible lending should be followed (just as for other consumer credit providers). Thus, the peer-to-peer lending operator must collect information for creditworthiness assessment, and must verify the information provided by the borrower in accessible databases or gather other supporting evidence.

Typically, such platforms also provide a “secondary market” function – ie, original investors may transfer their investments (claim rights) to other investors.

Payment for order flow was a controversial issue for some time. However, the latest amendments to MiFIR generally introduced an EU-wide ban on payment for order flow from 2026.

EU’s Regulation on Market Abuse (MAR) is the main regulatory instrument addressing market abuse, including insider dealing, the unlawful disclosure of inside information and market manipulation.

The Law on Securities, implementing EU’s Directive on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market, provides additional disclosure requirements for listed companies. The requirements of the EU’s Regulation on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market are also directly applicable.

The Bank of Lithuania has issued guidelines on disclosure of information, providing detailed guidance on compliance with market integrity requirements.

In addition, MiCA also provides for directly applicable market integrity rules for trading in crypto-assets.

The legal framework for algorithmic trading is set out in the Law on Markets in Financial Instruments, transposing MiFID II. As for all other investment service providers operating under Lithuanian legislation, investment firms providing services based on algorithmic trading must be licensed by the Bank of Lithuania. Brokers utilising algorithmic trading must notify the Bank of Lithuania of doing so, and should have various risk management procedures and business continuity measures in place.

In the case of high-frequency trading (HFT), brokers are obligated to keep an accurate record of all orders placed by them in a time-sequential format – including cancelled orders, executed orders and quotes on trading venues – and should make this available to the Bank of Lithuania upon its request.

MiFID II introduced various regulatory requirements across asset classes, including transparency, risk management and reporting obligations, which affect brokers using algorithmic trading and HFTs; however, specific rules for different asset classes in regard to algorithmic trading do not apply.

An investment firm that engages in algorithmic trading is considered to be pursuing a market-making strategy when, as a member or participant of one or more trading venues, its strategy, when dealing on its own account, involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

While an investment firm is not automatically required to register as a market maker, if the broker is engaged in algorithmic trading that seeks to pursue a market-making strategy, based on the Law on Markets in Financial Instruments, taking into account the liquidity, size and nature of the market in question and the characteristics of the financial instrument traded, it must adhere to certain requirements – ie, it must:

• continuously participate in market making during the trading hours of the trading venue (except in exceptional circumstances) in order to ensure regular and predictable liquidity of the trading venue;
• enter into a binding written agreement with the trading venue, setting out at least the duties of the market maker that relate to the duties referred to in the item above; and
• have effective systems and controls in place to ensure that it can meet its obligations under the agreement with the trading venue at any time.

Rules regarding HFTs and algorithmic trading are applicable to investment firms (and banks providing investment services). Should they decide to engage in algorithmic trading or HFTs, the investment funds are not subject to specific rules.

While programmers and programming are not directly regulated (under MiFID II and the Law on Markets in Financial Instruments), financial service providers are required to have in place such information technology mechanisms as are compliant with the current regulations in regard to transparency, AML/CFT, sanctions compliance, fraud prevention, data protection and other strictly regulated fields. Programmers should also account for the soon-to-be applicable DORA.

If the financial service provider decides to outsource the programming of the algorithmic trading tool, it should assess all possible risks following such a decision as well as ensure close monitoring of the third-party programmer. As the financial service provider is a participant in a financial market, it is required to comply with outsourcing requirements laid out by the Bank of Lithuania in accordance with the guidelines set out by the European Banking Authority. Since mid-January 2025, DORA requirements will be directly applicable for such outsourcing.

The underwriting process is regulated through EU Directive 2016/97, which is transposed into national law through the Law on Insurance of the Republic of Lithuania, the Civil Code of the Republic of Lithuania, Resolutions of the Board of the Bank of Lithuania and other national legal acts.

The insurtech landscape in Lithuania is not as prominent as in other jurisdictions, so the usual underwriting processes used by industry participants operating in Lithuanian jurisdiction are similar to regular good practices of risk evaluation based on the specific type of insurance found around the EU. Still, start-ups are experimenting with peer-to-peer coverage models, usage-based insurance and streamlined digital claims processes, in which the Bank of Lithuania’s regulatory sandbox provides a crucial support mechanism for testing innovative insurance approaches, as the national legislation may not always cohere with new creative insurance solutions.

As regards transposing EU Directive 2009/138 (Solvency II) into national law, the Civil Code of the Republic of Lithuania and the Law on Insurance of the Republic of Lithuania follow Solvency II’s separation of life and non-life activity, generally prohibiting the same licensed entity from providing both types of insurance and setting out different prudential and regulatory requirements depending on the activity.

Requirements on insurance activity and products vary depending on:

• whether insurance is mandatory;
• whether the risk is considered large;
• the type of insurance; and
• the specific class of insurance.

Some insurance is regulated under separate laws, and legislation is further supplemented by the resolutions of the board of the Bank of Lithuania and other supplementary legal acts. Each type of insurance adheres to different regulations, collectively making up a vastly legislated field.

Recently, the Bank of Lithuania focused on insurance-based investment products to ensure management of conflicts of interest and transparency.

All insurance market participants taking up insurance and reinsurance services must obtain authorisation for the provision of both life and non-life insurance.

Regtechs themselves are not regulated specifically (except for electronic ID and trust service providers, which must be licensed under the EU’s Regulation on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”). However, should financial institutions enter into service provision agreements with such undertakings, they are obliged under both EU and national law to determine whether the agreement is not considered outsourcing; if it is, they must be sure to implement specific terms and conditions under national requirements based on the European Banking Authority Guidelines on Outsourcing.

In general, as financial institutions are an important market for regtechs, they must be well acquainted with the financial law of the actual jurisdiction and tailor their solutions accordingly. There is no exception to this in Lithuania.

Regtechs must also ensure compliance with DORA, and that information technologies provided by them are up to par with the requirements raised by DORA if they are to keep providing to the financial sector. This also requires revision of the majority of existing contracts.

If financial institutions enter into service provision agreements with regtechs, they are obliged under both EU and national law to determine whether the agreement is not considered outsourcing; if it is, they must be sure to implement mandatory contractual terms and conditions.

Generally, such requirements follow the European Banking Authority Guidelines on Outsourcing – eg:

• to ensure the rights of both the financial institution and the supervisory authority;
• to supervise the provision of the outsourced service;
• to ensure that the outsourced regtech service adheres to national and EU regulatory requirements;
• to ensure the safety of the data of the financial institution and its clients, and that it is processed under EU law;
• to regulate sub-outsourcing of the regtech service;
• to ensure that agreed service levels are met; and
• to lay grounds for effective transition periods if the financial institution decides to enter into a new agreement with a different regtech, and to terminate the outsourcing agreement.

In addition, some contracts must be notified to the Bank of Lithuania in advance.

Implementation of blockchain among traditional players in Lithuania’s financial sector is scarce, and most innovations are introduced by fintech start-ups. This is unsurprising, for several reasons.

Prior to the entry into force of MiCA, the Bank of Lithuania was holding onto the position that undertakings providing financial services should not provide crypto-asset-based services – meaning that legacy and traditional market participants are either sceptical of blockchain or have not yet found any integration possibilities for it within the operations of the financial institution.

On the other hand, the Lithuanian jurisdiction provides a start-up-friendly environment for fintechs. Both governmental (such as the “LBChain” sandbox environment for start-ups) and non-governmental undertakings (the Blockchain Competence Centre in Lithuania) promote the swift expansion of blockchain-based fintech start-ups in Lithuania.

To conclude, the use of blockchain is prominent within the fintech start-up economy and scarce among traditional market participants.

Prior to entry into force of MiCA, the regulation of blockchain was scarce and relevant fintechs were only partially addressed in AML/CTF-related regulations.

As mentioned previously, the Bank of Lithuania (as the supervising authority for financial institutions) was very careful regarding its position on crypto-assets, stating that financial institutions should not provide both financial and crypto-asset-based services through a single undertaking.

Now that MiCA has entered into full effect, distributed ledger technologies are regulated on a supranational level by the Regulation. The national legislative organ has also approved the Law on Crypto-Asset Markets, which designates the Bank of Lithuania as the supervisory authority for blockchain-based crypto-asset service providers. It specifies some of the requirements set out by MiCA to make them more cohesive with the national legislation in force, as well as the possible sanctions that may be imposed by the Bank of Lithuania in cases of failure to comply with MiCA and the aforementioned law.

Prior to MiCA, the only blockchain assets addressed were cryptocurrencies, through national AML/CTF legislation, which classifies cryptocurrencies as virtual currencies that have an electronic monetary value, are accepted as a medium of exchange and can be stored/transferred/exchanged but that are not issued or backed by the government.

MiCA sheds some light as regards crypto-assets (blockchain assets) being defined as financial instruments and falling under MiFID II rather than MiCA, and regarding what crypto-assets are directly regulated under MiCA.

MiCA introduces definitions of asset-referenced tokens, e-money tokens (both of which are also understood as stablecoins) and other crypto-assets not falling under the description of the previously mentioned tokens.

MiCA does not apply to entities providing crypto-asset services solely to group companies, insolvency administrators (with limited exceptions), central banks, public authorities, the European Investment Bank and similar institutions, as well as to public international organisations.

MiCA also excludes non-fungible crypto-assets (NFTs) and crypto-assets classified as financial instruments, deposits, funds (unless e-money tokens), securitisation positions, insurance products, pension products and social security schemes.

ESMA has published guidelines clarifying when crypto-assets qualify as financial instruments.

MiCA covers the issuing (and issuers) of asset-referenced tokens (ARTs), e-money tokens (EMTs) and other crypto-assets not falling under the description of ARTs and EMTs. The regulation specifically lays out all requirements for authorisation to issue, offer to the public and admit to trading previously mentioned types of assets, while the EBA and ESMA have published Implementing and Regulatory Technical Standards (ITS/RTS) further specifying the depth and detail of the authorisation process.

Issuers of Asset-Referenced Tokens (ARTs)

These tokens can be tied to a pool of assets, which can include one or more fiat currencies or commodities. The value of the ARTs is derived from the value of the underlying assets.

Issuers and initial offerors of ARTs under MiCA have significant regulatory obligations owing to the potential systemic risks these crypto-assets may pose to their holders, and need authorisation for such activity. Along with the crypto-asset White Paper, the issuing undertaking must also have in place various policies and procedures to ensure the liquidity and stability of the assets, as well as have qualified employees and shareholders that are compliant with EU law.

Issuers of EMTs

EMTs are intended to maintain a stable value by referencing a single fiat currency.

EMTs may only be issued, offered to the public or admitted to trading by credit institutions and e-money institutions. Such issuers and offerors of EMTs must also adhere to strict requirements similar to issuers of ARTs.

What is also interesting under MiCA is that EMTs are classified as electronic money, meaning that the institutions issuing the EMTs will be obliged to ensure that the token can be redeemed at any time for its tied fiat currency.

Issuers of Other Crypto-Assets

Issuers and offerors of any other crypto-assets not classified as ARTs or EMTs – such as utility tokens – must also meet certain transparency and disclosure obligations, particularly when offering the tokens to the public or admitting them to trading on a platform.

Where crypto-assets are classified as financial instruments, their issuers and offerors fall under the Prospectus Regulation and MiFID II legislation, and under the Law on Markets in Financial Instruments transposing them.

One of the main elements ensuring the transparency of a crypto-asset and its holder’s protection under MiCA is a uniform crypto-asset White Paper. There are certain exceptions where a White Paper is not needed (ie, owing to little relevance or type of a crypto-asset), but generally every issuer of a crypto-asset will have to draw up a White Paper following the standards set out by the EU.

All stablecoin issuers operating in EU jurisdiction must ensure their proper authorisation under MiCA. Until then, however, cryptocurrency exchanges operating in the EU will have to delist such crypto-assets from their trading platforms.

MiCA sets out uniform requirements for CASPs. Starting from 2025, all CASPs are subject to authorisation from their competent supervisory authorities. All applicants are required to:

• provide documentation regarding their management and stakeholder structures, programmes of operations, various risk management policies and procedures (eg, AML/CTF, outsourcing, complaints handling and others);
• meet specific capital, prudential requirements; and
• adhere to certain requirements regarding safeguarding of holders’ funds.

National law does not have specific regulations addressing the provision of staking services related to cryptocurrencies. However, services such as staking may fall under the broader category of crypto-asset services, potentially requiring a MiCA licence and compliance with established standards.

Currently, Lithuania lacks specific regulations for lending services involving cryptocurrencies. Lending or borrowing of crypto-assets is not automatically considered a licensable activity under MiCA; however, typically it forms part of a licensable activity due to other related services – eg, provision of custody and administration services.

Typically, cryptocurrency derivatives are considered financial instruments, and the general Prospectus Regulation and MiFID II framework is applicable.

Decentralised finance (DeFi) platforms operate in a regulatory gray area in Lithuania. There is no specific legislation governing DeFi services, and the decentralised nature of these platforms complicates regulatory oversight. However, if a DeFi platform facilitates the trading of security tokens or cryptocurrencies, it may be subject to existing financial regulations, especially if it involves intermediaries or offers services akin to traditional financial activities. 

It is important to note that the regulatory landscape is evolving, and the full impact of MiCA on these areas will become clearer as the Regulation is fully implemented and interpreted by national authorities.

Based on the Bank of Lithuania’s position regarding virtual assets and issuance of virtual assets tokens, management of funds for investment in crypto-assets (excluding funds intended for professional investors) may be incompatible with the main activity of supervised financial institutions. Thus, only funds intended for professional investors may invest in crypto-assets.

This position will likely be adjusted; however, investment restrictions are likely to remain, especially for strictly regulated UCITS funds.

With MiCA entering into force, all blockchain assets are collectively referred to as crypto-assets, into which fall traditional cryptocurrencies. Cryptocurrencies that are not considered ARTs or EMTs generally fall into the category of remaining crypto-assets.

NFTs are not directly addressed either in the EU or in national legislation.

MiCA is no exception to this, as it specifically states that it does not apply to NFTs. That said, ESMA has published Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments that address whether an NFT may fall under MiCA:

• if the NFT lacks distinct attributes and shares comparable, interchangeable characteristics with other tokens (in its collection, for example), it should be viewed as fungible;
• NFTs that are part of a collection or series can lose their uniqueness if their value is influenced by the other NFTs in the series;
• when multiple NFTs provide the same utility or access rights (eg, event access), they may become interchangeable (reducing their uniqueness) and may be classified as fungible; and
• dividing a unique NFT into fractional parts for shared ownership renders those fractions non-unique, as each fraction represents a part of the same asset.

In all these cases, the NFT could fall under MiCA’s regulatory scope due to its fungibility; however, it is still worth mentioning that these examples are still purely theoretical until MiCA has been properly realised in practice.

Regulation of open banking stems from the Law on Payments of the Republic of Lithuania, transposing the EU’s Payment Services Directive 2 (PSD2).

Generally, the Lithuanian legal framework supports open banking by mandating that every financial institution under Lithuanian law develop application programming interfaces (APIs) to conduct open banking operations with third parties.

These imperative obligations both promote a friendly landscape for start-up integration into the market as well as minimise the risks of a potential monopoly of a dominating financial institution, in terms of availability to conduct inter-financial institution transactions by the user.

In terms of the influence of PSD2 on open banking in Lithuania, the jurisdiction already had a system co-ordinated by the Lithuanian Banking Association that connected banks, allowing for convenient domestic inter-bank payments. Open banking, however, eliminated the need for this system as it was more expensive and less extensive than open banking. Overall, while introducing functions that were already somewhat implemented in Lithuania, open banking brought many positives by making inter-financial institution transactions cheaper to operate and by providing for a more fintech-friendly landscape.

All financial institutions operating under EU law must be licensed and supervised by competent national or supra-national authorities, meaning that they must adhere to robust data privacy and data security requirements under relevant EU law such as the GDPR and PSD2.

Technology providers, while not subject to licensing, must be acquainted with the robust regulation of the fintech landscape as well as data security and protection requirements if they are to provide a competitive product.

These compliance requirements became even more intricate with DORA entering into full effect in January 2025.

As the supervisor of financial institutions, the Bank of Lithuania defines the following types of fraud.

Unauthorised Payment Transactions

This includes situations where someone wrongfully uses or mismanages funds that belong to the payment service user (PSU), which are kept in their payment accounts or in their possession. It also covers any transactions made on behalf of the PSU that could have financial consequences for them but that were done without their knowledge or consent. Such transactions may occur due to the theft of payment instruments, for example.

Authorised Payment Transactions

This includes situations where payment transactions are carried out with the PSU’s consent, but the PSU was misled about the purpose, consequences or other important details of the transaction. Even though the PSU agreed to the transaction, their decision was based on false or misleading information. This type of fraud is conducted on the basis of activities such as phishing and vishing.

The Bank of Lithuania has raised concern in recent years about the ever-growing number of telephone call and message-based scams, where (for example) fraudsters try to gain a PSU’s credentials or other information used for authorisation by:

• leading them to a fake website of a real financial institution;
• getting them to provide their credentials on said website; and
• pressuring them by lying to them about a debt or the traffic accident of a relative, with the latter needing “urgent financial assistance”.

Traditional fraud as well as new means of fraud are always present and evolving. The Bank of Lithuania is trying to outpace this growth by organising various publications and consultations to increase the financial literacy of PSUs.

As with all member states of the EU, legislation also stipulates certain fraud risk prevention standards and requirements, further transposed by national legislation and various positions, resolutions and guidelines of the Bank of Lithuania. One of the most notable documents addressing fraud prevention nationally is the Fraud Prevention Guidelines of the Bank of Lithuania. These guidelines aim to help financial institutions and provide examples of good practice relating to fraud prevention.

The main regulatory focus on fraud prevention – including responsibility for losses – may be seen in the payment sector. There are considerable expectations for fintechs to take proactive measures to prevent fraud – this includes:

• provision of information on fraud typologies to clients; and
• a requirement to provide details of a transaction in an SMS, or a push-up notification during two-factor authentication.

Generally, if the client states that they have not authorised a payment transaction, the payment service provider must prove either fraud or gross negligence by the client, or otherwise must compensate the client for all losses.