Legal requirements for successful EMI in one of the friendliest environments for FinTech

In recent years Lithuania aims to become FinTech-friendly country by creating environment that would attract new companies and encourage them to incubate new products in the country. It seems that this goal has been successfully achieved. According to the number of licenses granted for FinTech companies in last year, Lithuania is second in European Union and drops only to Great Britain. In 2018 the FinTech sector in Lithuania grew by 45% to a total of 170 FinTech companies and more than 2,600 employees in the country.

There are several aspects that help to create FinTech-friendly environment. One of the key is a relatively short time for obtaining an electronic money or payment institution licence – only 3 months, while in other countries it can take up to a year. It is also worth mentioning the payments system CENTROlink, created, maintained and developed by the Bank of Lithuania. It makes Lithuania unique in the European Union for the fact that not only commercial banks, but also smaller financial market participants (licensed payment and electronic money institutions, credit unions) can gain access to payments in euros in the Single Euro Payment Area (SEPA) via the central bank. Smooth processes are ensured by four local institutions - the Bank of Lithuania (licensing and supervision), Financial Crimes Investigation Service (supervision), the Ministry of Finance (strategy and promotion) and Invest Lithuania (promotion) – working all together and having the same vision regarding bringing FinTech companies into the country. And these are one of the main reasons why Lithuania has been so attractive to foreign FinTech companies.

However, it does not mean that each company is easily admitted. There are numerous of regulations that must be respected. Taking for the example electronic money institutions (EMI), the main focus is on the authorized capital and propriety of the EMI shareholders and the director and his deputy. The management body must be of good repute and possess the qualifications and experience necessary to properly perform their duties. There are a lot of aspects needed to be taken into consideration while assessing the mentioned. Generally, it can be said that the qualification and the experience of the management body shall be assessed taking into account the level and the nature of their education, in-service training, the nature and duration of their professional activity, and other factors that may affect personal qualification and experience. Although legal acts do not provide requirement for the management body to reside in Lithuania (present on-site), it is desirable for an EMI to have a director or another representative in Lithuania (usually it is compliance officer) who would be able to make decisions and who would be easily accessible if required. Entities with a qualifying holding in the EMI’s authorised capital and/or voting rights must be able to ensure reliable and prudent management of the EMI, have sufficiently high repute and be financially reliable.

Other not less important issue is compliance with the minimum capital requirement. According to the provisions of the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions, an EMI must possess a minimum initial capital of no less than EUR 350,000. The initial capital must be formed prior to any decision regarding the day of issue of the licence.

EMI engaged in restricted activities is a subject to less stringent requirements.

The Bank of Lithuania requires the submission of relevant policies: operational program; business plan; description of measures taken (to be taken) to protect consumer funds; description of the governance arrangements and internal control systems, including administrative, risk management and accounting systems; description of the organizational structure; the questionnaire of the Head of the Financial Market Participant supervised by the Bank of Lithuania and the person performing the principal functions; questionnaire on operational risk for the applicant.

One of the most important and relevant policy is related with prevention of money laundering and terrorist financing. There is an obligation to assess the risks, associated with customers, geography, products, services, transactions or service channels. In order to manage risks efficiently, following steps must be taken: awareness of risks; evaluation of existing control measures; identifying weaknesses in existing procedures and assessing their need for updating/changing; setting maximum tolerance for customer risks; decision-making. All the risks must be constantly monitored and evaluated. That is why the company shall evaluate the likelihood that the risks will materialize, and the potential consequences, as well as describe all the risks properly and justify the reasons they are tolerated (the legislation does not set the minimum or maximum of risks that could be taken, it is up to the company to decide how much of risks it is willing to take, however, the scope of acceptable risks must be well-grounded). It is not enough just to write down the policies and actions of risks management on paper. The implementation and performance effectiveness monitoring is not less important. Not to mentioned, that policies need to be customized and adapted to a specific company.

Despite the fact that Lithuania already became one of the most attractive countries in the EU for starting FinTech activities, some of the questions are still waiting to be resolved. One of them is directly related to Brexit. In Lithuania, other than in the Great Britain, the driving licence is not treated as a person’s identity document due to the fact that driving licence does not indicate the nationality of the person. While the Bank of Lithuania seems to be ready to legally align the mentioned document to a person’s identity document, Financial Crimes Investigation Service worries that such assimilation could open the way to execute terrorist financing activities. Be that as it may, the issue is expected to be resolved and the answer regarding this matter should be given quite soon by the Parliament of the Republic of Lithuania.

Other issue is common not only for Lithuania, but for all European Union countries and is related to disclosure of final beneficiaries. Whereas GDPR protects personal information of individuals, the Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing demands to disclose the final beneficiaries. It is not known yet how these two regulations and their requirements should be harmonized, as it is no precedent yet. For now the issue is left for the discretion of each member state, highlighting the importance for proper documentation of all personal information.