AT A GLANCE

Lithuania requires financial institutions to comply with comprehensive  AML and CTF regulations obtain specific licenses such as EMI, Payment Institution, API, or Trust licenses, conduct KYC and KYB verification, perform sanctions screening, and adhere to GDPR data protection standards. The Bank of Lithuania serves as the primary regulator, with licensing processes typically taking 3 to 6 months and requiring €50,000 to €125,000 in capital depending on the license type. Some organizations use tools such as Flagright, our amazing no-code centralized AML compliance and fraud prevention platform to support monitoring and compliance workflows.

What Are the Main Regulatory Authorities in Lithuania?

The Bank of Lithuania is the central bank and primary supervisory authority overseeing all financial institutions in the country. It handles licensing, supervision, and regulation of banks, electronic money institutions, payment service providers, and other financial entities operating within Lithuanian jurisdiction.

The Financial Crime Investigation Service (FCIS) operates as a specialized institution investigating and preventing financial crimes, including money laundering and terrorist financing. The FCIS works closely with the Bank of Lithuania to ensure financial institutions comply with AML, CTF, and  sanctions screening and compliance obligations.

The State Data Protection Inspectorate (SDPI) monitors and enforces data protection regulations, ensuring financial institutions comply with GDPR and Lithuanian data protection laws. As an EU member state, Lithuania also adheres to European Union regulations and directives that apply to financial services.

Key Regulatory Bodies:

  • Bank of Lithuania: Primary licensing and supervisory authority
  • Financial Crime Investigation Service (FCIS): Financial crime investigation and prevention
  • State Data Protection Inspectorate (SDPI): Data protection oversight
  • European Union: Overarching regulatory framework through EU directives

What Licenses Do Financial Institutions Need in Lithuania?

Financial institutions must obtain specific licenses based on their business activities. The Bank of Lithuania issues several license types, each with distinct requirements and permitted activities.

Electronic Money Institution (EMI) License

An Electronic Money Institution (EMI) License allows companies to issue electronic money and provide payment servicesThis license is ideal for fintech companies operating digital wallets, prepaid cards, or e-money platforms. The application requires €350,000 in initial capital and comprehensive documentation of business operations, management team qualifications, and risk management systems.

The Bank of Lithuania typically processes EMI license applications within 3-6 months. Applicants must demonstrate robust AML/CTF procedures, adequate capital reserves, and qualified management personnel. EMI license holders can provide services across the EU through passporting rights.

Payment Institution (PI) License

A Payment Institution (PI) License enables companies to offer payment services such as money  remittances, payment processors, and account management without issuing electronic money. The PI license requires €125,000 in initial capital for standard payment institutions.

Payment institutions can provide services including payment initiation, acquiring services, money transfer, and payment account services. The licensing process involves demonstrating operational readiness, compliance frameworks, and financial stability to the Bank of Lithuania.

Authorized Payment Institution (API) License

The API license is designed for payment institutions seeking to provide a broader range of payment services with enhanced regulatory oversight. This license type requires higher capital requirements and more comprehensive compliance systems compared to standard payment institution licenses.

API license holders can execute payment transactions, provide merchant acquiring services, and offer payment account services. The Bank of Lithuania evaluates management competence, capital adequacy, and risk management capabilities during the application review, and strong case management helps demonstrate clear controls, documented decisions, and audit-ready processes.

Small Payment Institution (SPI) License

Small payment institutions can obtain an SPI license for limited payment service operations. This license type suits smaller fintech companies with average monthly payment volumes not exceeding €3 million. The SPI license requires lower initial capital (€50,000) and simplified compliance procedures.

SPI license holders face restrictions on service scope and transaction volumes. Despite these limitations, the SPI license provides an accessible entry point for startups and smaller payment service providers entering the Lithuanian market.

Trust License Requirements

Trust service providers offering qualified trust services under the eIDAS Regulation must obtain trust service provider licenses. Trust licenses enable companies to provide electronic signatures, seals, timestamps, registered delivery services, and website authentication certificates.

The application process requires demonstrating technical capabilities, security measures, and compliance with eIDAS technical standards. Brokerages and trusts holding a trust license must maintain robust security protocols and undergo regular audits.

Specialized Bank License

Specialized bank license allow institutions to provide limited banking services including accepting deposits, granting loans, and offering payment services. This license requires €5 million in initial capital and comprehensive banking infrastructure.

Specialized banks operate under stricter regulatory oversight than payment institutions but enjoy broader service permissions. The licensing process involves extensive evaluation of management experience, capital adequacy, and operational systems.

Peer-to-Peer (P2P) Lending Platform License

A Peer-to-Peer (P2P) Lending Platform License allows companies to operate platforms that connect lenders directly with borrowers, facilitating loans without acting as a traditional financial institution.

How Long Does the Licensing Process Take in Lithuania?

The licensing process typically takes between 3 to 6 months from initial application submission to license approval. The Bank of Lithuania reviews applications thoroughly, evaluating business plans, management qualifications, capital adequacy, and compliance systems.

Application timelines vary based on license type and application completeness. EMI and PI licenses generally require 4-6 months for processing. SPI licenses may be processed faster, often within 3-4 months. Specialized bank licenses involve longer review periods, sometimes extending beyond 6 months due to comprehensive regulatory requirements.

Incomplete applications or requests for additional information extend processing timelines. Applicants should prepare comprehensive documentation including detailed business plans, financial projections, risk management frameworks, and compliance procedures before submission.

Typical Processing Timelines:

  • Small Payment Institution (SPI): 3-4 months
  • Electronic Money Institution (EMI): 4-6 months
  • Payment Institution (PI): 4-6 months
  • Authorized Payment Institution (API): 4-6 months
  • Specialized Bank: 6+ months

What Are the Capital Requirements for Lithuanian Financial Licenses?

Capital requirements vary significantly based on license type and intended business activities. The Bank of Lithuania establishes minimum capital thresholds ensuring financial institutions maintain adequate resources for operations and risk management.

Minimum Capital Requirements:

  • Small Payment Institution (SPI): €50,000
  • Payment Institution (PI): €125,000
  • Electronic Money Institution (EMI): €350,000
  • Authorized Payment Institution (API): €125,000-€500,000 (activity-dependent)
  • Specialized Bank: €5,000,000

These capital amounts must be maintained throughout operations as regulatory capital. Institutions must demonstrate that capital is available and unencumbered during the application process. Additional capital may be required based on transaction volumes, business complexity, or specific risk factors identified by regulators, which firms often quantify through risk scoring.

What Is Lithuania's AML/CTF Legal Framework?

The Law on the Prevention of Money Laundering and Terrorist Financing establishes Lithuania's primary AML/CTF framework. This law implements EU Anti-Money Laundering (AML) Directives into Lithuanian legislation, setting obligations for financial institutions to detect, prevent, and report suspicious activities.

Lithuania complies with the Fifth and Sixth EU Anti-Money Laundering Directives (5AMLD and 6AMLD), incorporating enhanced due diligence requirements, beneficial ownership transparency, and expanded regulated entity categories. Financial institutions must implement comprehensive AML/CTF programs addressing all regulatory requirements.

Core AML/CTF Obligations

Financial institutions must conduct customer due diligence (CDD) for all business relationships, identifying and verifying customer identities before establishing accounts or executing transactions. Conducting customer due dilence (CDD) procedures include collecting customer information, understanding business relationships, and assessing risk levels.

Ongoing transaction monitoring is mandatory throughout customer relationships. Institutions must monitor transactions for unusual patterns, inconsistencies with customer profiles, or indicators of money laundering or terrorist financing. Monitoring systems should flag suspicious activities for investigation.

Record-keeping requirements mandate maintaining comprehensive documentation of customer identification, transactions, and risk assessments for at least five years after relationship termination. Records must be readily accessible for regulatory inspections and investigations.

Suspicious activity reporting to the FCIS is required when institutions detect transactions or activities potentially related to money laundering or terrorist financing. Reports must be filed promptly, and institutions cannot disclose reporting to affected customers (tipping off prohibition).

Risk-Based Approach

Lithuanian regulations require implementing risk-based AML/CTF frameworks, applying enhanced scrutiny to higher-risk customers, transactions, and business relationships. Institutions must develop risk assessment methodologies considering customer types, geographic locations, product types, and transaction patterns.

Enhanced due diligence (EDD) applies to politically exposed persons (PEPs), customers from high-risk jurisdictions, complex corporate structures, and high-value transactions. EDD measures include additional identity verification, source of funds verification, and senior management approval.

What Are KYC and KYB Requirements in Lithuania?

Know Your Customer (KYC) and Know Your Business (KYB) procedures are fundamental compliance requirements for Lithuanian financial institutions. These processes verify customer and business identities, assess risks, assess the potential risks associated with customers and businesses, and prevent financial crime.

Customer Identification and Verification

Financial institutions must collect and verify customer information including full names, dates of birth, addresses, and identification numbers. For individual customers, verification typically requires government-issued identification documents such as passports or national identity cards.

Corporate customers require additional documentation including company registration certificates, articles of association, and beneficial ownership information. Institutions must verify that businesses are legitimately registered and operating legally.

Beneficial Ownership Verification

Understanding beneficial ownership structures is crucial for KYB compliance. Financial institutions must identify ultimate beneficial owners (UBOs) controlling 25% or more of company shares or voting rights. UBO identification requires collecting ownership structure diagrams, shareholder registers, and individual identity verification for beneficial owners.

Lithuania maintains a beneficial ownership register administered by the State Enterprise Centre of Registers. Financial institutions should verify information against this public register while conducting independent due diligence.

Risk Assessment Procedures

Institutions must categorize customers based on risk levels (low, medium, high) considering factors such as customer type, geographic location, business activities, and expected transaction patterns. Risk categorization determines appropriate due diligence levels and monitoring intensity.

High-risk customers require enhanced due diligence including additional verification steps, more frequent reviews, and senior management oversight. Low-risk customers may qualify for simplified due diligence with streamlined verification procedures.

Which Sanctions Lists Must Lithuanian Institutions Screen Against?

Financial institutions must screen customers, transactions, and business partners against multiple sanctions lists to prevent prohibited transactions with designated individuals, entities, or countries subject to financial restrictions.  Our platform offers a comprehensive sanctions screening solution that automates the process, making it easier than ever to stay compliant.

National and EU Sanctions Lists

Lithuania maintains national sanctions lists complementing EU-level sanctions. As an EU member state, Lithuania automatically implements EU sanctions decisions. Financial institutions must screen against the EU consolidated sanctions list, which updates regularly as new sanctions are imposed or modified.

International Sanctions Lists

The United Nations maintains sanctions lists targeting individuals and entities threatening international peace and security. Lithuanian institutions must screen against UN consolidated sanctions lists. Many institutions also screen against the US Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list due to international business connections and correspondent banking relationships.

Ongoing Screening Requirements

Sanctions screening and compliance require continuous monitoring, not one-time checks. Institutions must implement automated screening systems checking new customers at onboarding and rescreening existing customers whenever sanctions lists update. Watchlist screening should occur in real time, flagging payments involving sanctioned parties before execution and generating real-time alerts.

Key Sanctions Lists:

  • EU Consolidated Sanctions List
  • UN Consolidated Sanctions List
  • OFAC Specially Designated Nationals (SDN) List
  • Lithuania National Sanctions List

What Data Protection Requirements Apply to Financial Institutions?

The EU General Data Protection Regulation (GDPR) establishes comprehensive data protection and privacy standards applicable to all Lithuanian financial institutions. Lithuania's Law on Legal Protection of Personal Data supplements GDPR with additional national requirements.

GDPR Compliance Obligations

Financial institutions must implement data protection by design and by default, embedding privacy considerations into all systems and processes. This includes minimizing data collection, securing data storage, and limiting data access to authorized personnel.

Data subject rights must be respected, including rights to access personal data, request corrections, demand erasure, restrict processing, and obtain data portability. Institutions must respond to data subject requests within one month. Data processing agreements are mandatory when engaging third-party service providers processing customer data.

Data Breach Notification

Financial institutions must report personal data breaches to the State Data Protection Inspectorate within 72 hours of breach discovery. When breaches pose high risks to individual rights, institutions must also notify affected individuals directly, explaining the breach nature, potential consequences, and mitigation measures taken.

Cross-Border Data Transfers

Transferring personal data outside the European Economic Area requires ensuring adequate data protection in destination countries. Institutions can use EU Standard Contractual Clauses, rely on adequacy decisions, or implement binding corporate rules for international data transfers.

What Regulations Apply to Cryptocurrency and Digital Assets in Lithuania?

Lithuania regulates cryptocurrency activities under virtual currency operator and depository virtual currency wallet operator licenses through the Law on the Prevention of Money Laundering and Terrorist Financing. Cryptocurrency service providers must register with the Financial Crime Investigation Service before commencing operations, demonstrating AML/CTF compliance capabilities, management qualifications, and operational readiness.

MiCA Regulation Implementation

The Markets in Crypto-Assets (MiCA) Regulation establishes EU-wide cryptocurrency regulation effective from 2024-2025, introducing comprehensive licensing requirements for crypto-asset service providers, stablecoin issuers, and other digital asset businesses. Lithuania is implementing MiCA requirements into national legislation, with cryptocurrency businesses preparing for enhanced regulatory obligations including capital requirements, governance standards, and consumer protection measures.

Stablecoin Regulations 2025

New stablecoin regulations under MiCA establish specific requirements for asset-referenced tokens and e-money tokens. Issuers must obtain authorization, maintain reserves backing tokens, and comply with operational requirements ensuring stability and redeemability. Lithuanian institutions dealing with stablecoins should monitor Bank of Lithuania guidance on MiCA implementation.

How Does Lithuania Compare to Other EU Fintech Hubs?

Lithuania has established itself as a competitive fintech jurisdiction within the European Union, offering streamlined licensing processes, supportive regulatory environment, and access to EU single market through passporting rights. Processing times are generally faster than major EU financial centers, with the Bank of Lithuania maintaining efficient application reviews while upholding rigorous standards.

Capital requirements align with EU minimum standards but remain competitive. English is widely used in regulatory communications, facilitating international fintech companies establishing Lithuanian operations. The Bank of Lithuania provides extensive documentation and guidance in English, making the jurisdiction accessible to foreign applicants.

Practical Tips for Maintaining Compliance in Lithuania

Establish a dedicated compliance function: Appoint a compliance officer responsible for monitoring regulatory developments, implementing procedures, and maintaining relationships with regulators. Lithuanian law requires designated AML compliance officers for most financial institutions, and AI forensics can strengthen their oversight by accelerating investigations, surfacing evidence, and supporting audit-ready reporting.

Implement robust compliance technology: Utilize platforms offering automated transaction monitoring, sanctions screening, KYC/KYB verification, and reporting capabilities. Technology solutions improve accuracy and ensure consistent compliance processes.

Conduct regular compliance training: Train all staff on AML/CTF obligations, sanctions compliance, data protection requirements, and internal procedures. Regular training ensures employees recognize suspicious activities.

Maintain comprehensive documentation: Keep detailed records of customer due diligence, risk assessments, transaction monitoring, and suspicious activity reports. Comprehensive documentation demonstrates compliance during regulatory inspections.

Stay informed about regulatory changes: Monitor Bank of Lithuania announcements, EU regulatory developments, and industry guidance. Subscribe to regulatory updates and consider engaging compliance consultants.

Engage with the Bank of Lithuania proactively: Maintain open communication with supervisors, seek clarification on unclear requirements, and report significant issues promptly. Proactive engagement demonstrates commitment to compliance.

Conduct regular compliance audits: Revised version:

Perform internal audits to assess the effectiveness of the data protection framework and overall compliance controls, and identify any gaps. Consider engaging external auditors for independent assessments.

Develop incident response procedures: Create clear procedures for handling data breaches, sanctions hits, suspicious activities, and other compliance incidents. Rapid responses minimize regulatory consequences.

Frequently Asked Questions

How much does it cost to obtain a financial license in Lithuania?

License application fees range from €3,000 to €10,000 depending on license type. Total costs including legal fees, compliance setup, and initial capital requirements typically range from €100,000 to €500,000. EMI licenses require approximately €350,000 in capital plus €50,000-€100,000 in professional fees. Payment institution licenses need €125,000 capital plus similar professional costs.

Can foreign companies obtain financial licenses in Lithuania?

Yes, foreign companies can obtain Lithuanian financial licenses. The Bank of Lithuania welcomes international applicants meeting regulatory requirements. Foreign applicants must establish a Lithuanian legal entity, appoint local management, and demonstrate adequate operational presence in Lithuania. EU passporting rights allow licensed institutions to provide services throughout the European Union.

What happens if a financial institution violates compliance requirements?

The Bank of Lithuania can impose penalties including fines up to €5 million or 10% of annual turnover, whichever is higher. Serious violations may result in license suspension or revocation. The FCIS can pursue criminal charges for money laundering or terrorist financing violations. Regulatory enforcement actions become public, potentially causing reputational damage affecting business operations.

Do I need a physical office in Lithuania to obtain a license?

Yes, financial institutions must maintain a physical office in Lithuania with adequate operational infrastructure. The Bank of Lithuania requires demonstrating genuine business operations in Lithuania, not merely a letterbox presence. Office requirements vary by license type but generally include professional workspace, necessary IT systems, and local staff capable of conducting regulated activities.

How often must financial institutions report to the Bank of Lithuania?

Reporting frequency depends on license type and institution size. Most institutions submit quarterly financial reports and annual audited financial statements. Large institutions may face monthly reporting requirements. Ad hoc reporting is required for significant events including management changes, capital adjustments, or material compliance incidents. Suspicious activity reports must be filed immediately upon detection.

What qualifications must management possess for license approval?

Management must demonstrate relevant experience, professional qualifications, and good repute. The Bank of Lithuania conducts "fit and proper" assessments evaluating management competence and integrity. Typical requirements include at least three years of relevant financial services experience, clean criminal records, and no regulatory sanctions history. Senior management should possess financial qualifications or equivalent practical experience.

Are there ongoing fees after obtaining a license?

Yes, licensed institutions pay annual supervisory fees to the Bank of Lithuania. Fees vary based on license type, institution size, and business activities. Annual fees typically range from €5,000 to €50,000. Additional costs include compliance technology, external audits, legal advisors, and compliance staff salaries. Institutions should budget €100,000-€500,000 annually for ongoing compliance costs.

Can licenses be transferred or sold in Lithuania?

Financial licenses cannot be directly transferred or sold. License acquisitions require Bank of Lithuania approval through change of control procedures. Prospective acquirers must meet the same regulatory standards as original license applicants including management fitness assessments and capital requirements. The Bank of Lithuania reviews all significant shareholding changes exceeding 10% ownership.

What is the process for obtaining API or PSP licenses in Lithuania?

Apply through the Bank of Lithuania's online portal, submitting comprehensive documentation including business plans, financial projections, compliance manuals, and management CVs. The regulator reviews applications within 4-6 months, potentially requesting additional information. Approval requires demonstrating adequate capital, qualified management, robust compliance systems, and operational readiness. Once approved, institutions can begin operations immediately.

How do Lithuanian cryptocurrency regulations differ from other EU countries?

Lithuania offers relatively straightforward cryptocurrency registration under AML/CTF legislation. Registration with FCIS is faster and less expensive than licensing in some EU jurisdictions. However, MiCA implementation will harmonize cryptocurrency regulation across the EU by 2025. Lithuania's proactive approach to fintech regulation has made it an attractive destination for cryptocurrency businesses, though regulatory requirements are becoming more stringent as MiCA takes effect.

Conclusion

Lithuania offers a well regulated, fintech friendly environment for financial institutions seeking EU market access. The regulatory framework encompasses AML and CTF requirements, licensing procedures, KYC and KYB obligations, sanctions screening, and data protection standards. Success requires proactive compliance management, robust systems, qualified personnel, and ongoing regulatory engagement with the Bank of Lithuania. Our no code centralized AML compliance and fraud prevention platform is designed to support these efforts, offering real-time transaction monitoring, customer risk assessment, KYB and ID verification, and sanctions screening. Schedule a free demo with us to see how it works in practice.