Shaping a Principles-Based Risk Management Future with Flagright

The Bank of Lithuania (BoL) is ushering in a new era of compliance for Electronic Money and Payment Institutions (EMIs/PIs) with Risk Management Process Guidelines effective January 1, 2026. These guidelines mark a shift away from prescriptive, rules-based mandates toward a principles-based, risk-driven approach. They outline expectations that risk management practices evolve with an institution’s lifecycle stage, scale, and complexity, reinforcing proportional compliance. Key themes include fostering a strong risk culture and governance framework, maintaining comprehensive documentation (risk registers, incident logs, risk maps, etc.), and implementing continuous risk monitoring with regular reviews and reporting to leadership.

For fintech compliance officers in Lithuania and international fintechs entering this market, understanding these changes is crucial. Equally important is identifying solutions that can meet and exceed these regulatory expectations. Flagright is uniquely positioned to help financial institutions comply with these new principles and build a future-proof, scalable risk management program. In this article, we break down the BoL’s new guidelines and show how Flagright’s risk scoring engine and platform capabilities align with and fulfill these requirements.

From Rules to Principles: Proportional Compliance by Design

One of the most significant changes in the new guidelines is the shift from a rules-based compliance approach to a principles-based approach. Rather than rigid checklists of rules, BoL emphasizes broad principles and outcomes, giving institutions flexibility in how they achieve effective risk management. The guidelines explicitly note that they are recommendatory, encouraging firms to adopt best practices and innovative methods in organizing their risk management processes. In other words, if an institution can demonstrate that its approach is equivalent and effective, it may deviate from the specific examples in the guidelines. This flexible stance is coupled with the principle of proportionality: risk management expectations are scaled to the size, complexity, and risk profile of each institution. Smaller or less complex fintech startups are not held to the same detailed processes as a large, mature financial institution, instead, each company’s compliance should be commensurate with its risk exposure and business model.

This proportional, principles-driven mindset requires fintechs to build adaptable risk frameworks. Rather than treating compliance as a box-ticking exercise, institutions are expected to continuously assess and enhance their risk controls as they grow. The guidelines explicitly anchor proportionality to an institution’s growth stage, stating that risk management practices should mature together with the business. For compliance officers, this means constantly evaluating whether their risk management tools and policies remain adequate for their company’s current scale and risk environment. Flagright’s philosophy aligns closely here: its platform offers flexibility and customization to tailor risk models and controls to an institution’s evolving needs, ensuring that even as you grow, your compliance remains “right-sized” – neither under-engineered nor overly cumbersome.

Lifecycle Maturity Model: Risk Management Through Each Stage

The BoL guidelines introduce a lifecycle maturity model that delineates four stages of an institution’s development, startup, growth, expansion, and maturity, and ties risk management expectations to each stage. This is a forward-thinking move that recognizes a young fintech’s risk management processes will naturally look different from those of a well-established EMI/PI. Below is a brief overview of each stage and the corresponding risk management posture:

1. Startup: A newly licensed institution that is just beginning operations (or preparing to launch). At this stage, the organization is small with a simple structure, and it may rely on very basic tools and ad-hoc processes to manage risks. The guidelines acknowledge that startups can use “simple tools – such as Excel spreadsheets or Trello boards” to record decisions and track risks. The risk management responsibilities might be shared among a few team members, and decision-making is quick and informal. The focus is on establishing foundational controls and a risk-aware mindset as the business model is tested.
2. Growth: Once the institution acquires its first customers and starts scaling in its initial market segment, it enters the growth stage. Here, the vertical growth (scaling within the original product/market scope) requires more structured risk management. Teams expand and new staff need training on risk policies; compliance remains a key focus even as the company chases efficiency and revenue growth. The guidelines note that during growth, firms should start formalizing their risk management system – key processes should be documented and consistently applied, and regular (e.g., monthly or quarterly) reporting to management should begin. If there are significant changes to the business model or strategy at this stage, the institution must revisit its risk strategy and risk appetite, updating all internal documents accordingly. In practice, this means a growth-stage fintech should be periodically updating its risk assessments and controls to keep pace with its expanding operations.
3. Expansion: In the expansion stage, the institution broadens its horizons – whether by offering new services, targeting new customer segments, or entering new geographic markets. This horizontal expansion introduces greater complexity and potentially higher risk exposure. The guidelines indicate that risk management and internal controls should be significantly strengthened at this point. Organizational structure becomes more complex (often to meet requirements in multiple jurisdictions), and technical innovations play a bigger role in managing compliance and risks. BoL expects that by expansion stage, risk management is fully integrated into the business’s strategic planning, with data analytics and insights driving decision-making. Institutions are encouraged to adopt more sophisticated risk management tools – for example, project management and workflow systems like Jira, Asana, or Monday.com, or even in-house automated solutions that integrate with daily processes. The idea is that as a fintech grows, manual or simplistic approaches to risk become inadequate; automation and advanced platforms should take their place. There is also an increased emphasis on feedback loops: continuous monitoring, regular risk reviews, and organization-wide information sharing ensure that risk awareness permeates both top-down and bottom-up.
4. Maturity: The mature stage is reached when the institution becomes a major market player – possibly a publicly interested entity or preparing for an IPO. At this point, the firm’s risk management practices are expected to be industry-leading. According to the guidelines, a mature institution’s approach to risk can even set or influence market standards. Risk management is not only embedded in strategy but actually starts to drive strategic innovation and decision-making. Importantly, the guidelines state that in the maturity stage, risk management tools should be fully automated and capable of handling the complexity of the enterprise. In short, everything from transaction monitoring to incident reporting should happen through robust systems with minimal manual intervention. Compliance and risk oversight become a core pillar of the company’s identity, receiving significant attention at the board and senior management level.

By outlining these stages, the Bank of Lithuania is effectively telling fintechs: grow your risk management capabilities in step with your business. A “one-size-fits-all” compliance program won’t cut it. Startups might get by with spreadsheets and basic checklists now, but they should be planning for more advanced risk frameworks as they scale. Conversely, a mature institution must demonstrate sophisticated, well-resourced risk controls. This lifecycle model underscores why scalability is key for any risk management solution. Flagright’s platform was built with this in mind, supporting fintechs from their infancy through international expansion, ensuring that a company’s risk management infrastructure can seamlessly evolve from simple to state-of-the-art on the same platform.

Strengthening Risk Culture and Governance

Beyond process and tools, the new guidelines put a strong emphasis on risk culture and governance. The Bank of Lithuania considers an effective risk culture to be an integral part of good governance and a cornerstone of effective risk management. In fact, the guidelines explicitly require an institution’s governing bodies to foster an integrated, consistent risk culture throughout the organization. This means leadership – from the board to executives – must set the tone for how risks are viewed and addressed, ensuring that every employee understands their role in managing risk. A “risk-aware culture” implies open communication about risks, no blame for raising issues, and informed decision-making with clear risk tolerance limits.

In practical terms, the institution should clearly define its risk appetite (the level and types of risk it is willing to accept in pursuit of its business objectives) and ensure this is communicated and understood at all levels. The guidelines tie risk appetite to strategic planning: firms are expected to have a formal risk strategy that aligns with their business plan and goals, and to revisit this risk strategy as the business evolves. For example, when entering a new market or launching a higher-risk product, management should recalibrate what levels of risk are tolerable and update the risk strategy accordingly. Both risk appetite and tolerance limits for different risk types must be clearly specified and approved by the collegial management body (e.g. the board). This ensures that risk-taking is intentional and within agreed bounds.

To support a strong risk culture, governance structures are also enhanced. Each institution must have clear roles and responsibilities for risk management oversight. If the company is small, a single officer might wear multiple hats initially, but as it grows, dedicated risk and compliance officers should be appointed. Senior management and the board should receive regular risk reports and actively discuss risk issues. The guidelines recommend involving not just risk specialists, but all departments and staff in the risk management process – from front-line employees to top management – so that awareness and accountability are organization-wide. Training programs, internal communications about lessons learned from incidents, and leadership example (“tone from the top”) are all components of building this culture.

Flagright’s platform can be an invaluable ally in cultivating and maintaining a strong risk culture and governance framework. By providing tools for documenting risk decisions and policies, and facilitating communication, Flagright helps ensure that the defined risk appetite and policies are not just paper concepts but actively used references in daily operations. Dashboards and reports can make risk metrics and trends highly visible to both executives and line managers, reinforcing an informed risk dialogue. Moreover, Flagright enables governance through features like role-based access control (so appropriate approval workflows can be set up for risk policy changes or incident resolutions) and audit trails, which record every change or action in the system. This creates accountability – a critical element of any risk culture. Essentially, Flagright centralizes the governance of risk: the board and compliance team can easily review what’s happening across the organization’s risk profile in one platform, supporting the “risk-aware” leadership and oversight that regulators expect.

Robust Documentation and Ongoing Monitoring Requirements

The 2026 guidelines also introduce structured documentation and continuous monitoring expectations that formalize how risk management should be carried out and reviewed. Key documentation requirements include maintaining a Risk Register, an Incident Log, and a Risk Map, as well as aligning all internal policies/procedures with the risk management framework. Let’s unpack these:

• Risk Register: The risk register is essentially a comprehensive list or database of identified risks, containing details like risk descriptions, owners, assessment of impact/probability, and mitigation measures. The BoL defines a “risk register” as a document or database designated for recording information on risks. Institutions are expected to log all significant current and emerging risks in this register, keep it up to date, and review it regularly (at least quarterly) as part of their risk monitoring process. The register serves as a living inventory of the institution’s risk landscape.
• Incident Log: Similarly, an “incident register” (incident log) must record information on any incidents that occur, particularly those related to operational risk, compliance breaches, or other risk events. This log captures issues like fraud attempts, IT outages, security breaches, or control failures – basically any event where a risk materialized. Documenting incidents is crucial for learning and preventing future occurrences. The guidelines expect institutions to track incidents and analyze them for root causes and trends.
• Risk Map: The risk map is a more visual tool – described as a document, system, or visual aid where all risks are plotted graphically according to their likelihood and impact. Think of a classic risk heatmap: for each identified risk, how likely is it to occur and how severe would the consequences be? By mapping risks in this way, institutions can prioritize which risks need the most attention (e.g., high-impact, more probable risks). The guidelines require that a risk map be included in regular risk reports to management, ensuring that decision-makers see an aggregate view of the risk profile. Notably, the guidelines suggest that the risk map and risk register be interlinked, even allowing them to be integrated into one system or document for efficiency. Best practices mention showing the trend of risk levels over time and how they compare to the defined risk appetite and tolerance limits.
• Internal Policies and Alignment: Alongside these specific documents, institutions must ensure all their internal governance documents (risk management policies, procedures, and related controls) are aligned with the new process guidelines. For example, an institution should have an internal Risk Management Policy or similar, which the guidelines refer to as an internal document defining the principles of risk management organization in the institution. This document should outline the company’s risk governance structure, risk assessment methodology, reporting lines, etc., and incorporate the principles of proportionality and lifecycle approach. Regular reviews of this framework are expected – the guidelines call for at least an annual review of the risk strategy, risk appetite, and risk management system, including a plan for improvements. This ensures the documentation isn’t static; it evolves as the institution and its environment change.
• Continuous Monitoring & Reporting: Risk management is not a one-and-done task, it’s a continuous cycle. BoL’s guidelines stress ongoing risk monitoring (stebėsena), which involves tracking risk indicators, early warning signals, and any risk response actions on a periodic basis. Crucially, the guidelines mandate that institutions perform a full review of their risk register at least quarterly. In practice, this means generating a quarterly risk management report for senior management or the board that summarizes current risks (with the risk map), incidents that occurred, and how the risk profile is evolving. Some institutions might do this more frequently (monthly) depending on their risk level, but quarterly is the minimum. Additionally, any significant changes or emerging risks should trigger prompt management attention outside the regular cycle. The guidelines also mention an annual risk management report and improvement plan as part of governance. All of this adds up to a regulatory expectation of a structured risk oversight rhythm: monitor continuously, report regularly, and refine the risk management process over time.

Meeting these documentation and monitoring requirements might sound daunting, especially for smaller fintechs, this is where a platform like Flagright becomes extremely valuable. Flagright provides out-of-the-box solutions for many of these needs, helping institutions stay organized and proactive in risk management:

• Instead of keeping risks in a static spreadsheet, companies can use Flagright to input and update risk entries, categorize them, assign ownership, and link them to controls. The data is stored centrally and can be easily filtered or analyzed. Likewise, any compliance or fraud incidents can be logged into Flagright’s case management system, creating an audit trail of issues and how they were resolved.
• Flagright’s analytics and dashboard features enable creation of a Risk Map or heatmap. By aggregating risk scoring data (for example, customer risk scores, transaction risk alerts) the platform can display which areas pose the highest risk. Users can visualize risk trends over time and see if they are within the defined risk appetite thresholds. Essentially, the dynamic risk scoring engine behind Flagright continuously evaluates various risk factors, which can feed into a real-time risk map for the institution’s exposure. This satisfies the guideline’s call for systematic, graphical representation of risks.
• Because Flagright is a centralized platform, it inherently helps with policy alignment and version control. All your risk management rules, scoring models, and monitoring workflows are managed in one place, making it easier to ensure they are consistent with your internal policies. Whenever policies are updated (say, the board approves a new risk appetite statement or adds a new control procedure), those changes can be immediately reflected in how Flagright is configured. The platform keeps a log of configuration changes (providing an audit trail for compliance changes), which is useful for internal audits or regulator inspections.
• Flagright also streamlines reporting. With built-in reporting tools, compliance teams can generate reports on risk metrics, incident statistics, and system alerts with a few clicks. Instead of manually compiling data from different sources, Flagright consolidates it, ensuring that quarterly risk reports or even ad-hoc updates to management are comprehensive and based on real-time data. Moreover, automated alerts and notifications can be set up (for example, sending a Slack or email notification to relevant executives if a high-severity incident occurs), aligning with the guideline’s push for timely communication of risk issues.

In summary, the new BoL guidelines demand that fintechs maintain diligent records and keep a close, continuous eye on their risk environment. Flagright’s platform is like a compliance co-pilot, taking care of the heavy lifting in documentation, monitoring, and reporting so that compliance officers can focus on analysis and decision-making. By using Flagright, institutions can confidently demonstrate to regulators that they have all the required logs and maps in place, and that their risk management process is an active, ongoing discipline rather than a periodic formality.

How Flagright Aligns with the 2026 Guidelines

It’s clear that the principles-based, lifecycle-oriented approach of the Bank of Lithuania will require fintechs to have flexible, scalable, and robust risk management capabilities. Flagright was designed with exactly these qualities in mind. Here’s how Flagright’s risk scoring engine and broader platform fulfill the key expectations outlined by the guidelines:

• No-code, scalable risk modeling at every stage: Flagright provides a centralized, no-code platform for risk management, allowing institutions to configure risk models and rules without software development. This means a small startup can quickly set up basic risk scoring (e.g., simple rules or thresholds) and then easily evolve to complex, multifactor risk models as the business grows – all on the same platform. The risk scoring engine is highly dynamic, capable of assessing customer and transaction risks in real time based on customizable factors. Because it’s no-code, compliance teams can tweak risk parameters or add new scenarios on the fly to address emerging threats or new regulatory guidance, which is crucial for proportionality. Whether you’re serving 1,000 customers or 1,000,000, Flagright’s underlying infrastructure scales to handle the volume, so performance remains high even as your risk monitoring needs expand.
• Risk appetite & governance documentation tools: Flagright helps you translate your abstract risk appetite and policies into actionable, trackable controls. The platform offers modules to document and enforce risk thresholds and limits, for example, setting rules for what constitutes a high-risk transaction or customer, in line with your board-approved risk appetite. These thresholds can be adjusted as needed and are applied automatically across all monitoring activities. Flagright also centralizes all your risk policies and workflows in one place, providing a single source of truth for the organization. This centralization makes it simple to ensure everyone is following the same guidelines and that any policy updates propagate through your operations. In essence, Flagright acts as a living repository for your risk management principles and procedures, complementing your internal policy documents. When regulators ask to see how you operationalize your risk strategy, you can show them the Flagright configuration as evidence of governance in action.
• Built-in risk registers, incident tracking, and audit trails: With Flagright, you don’t need separate spreadsheets or systems for tracking risks and incidents, it’s baked into the platform. You can record identified risks directly in Flagright’s risk scoring module or as separate risk entries, complete with details and owners (much like a digital risk register). The platform’s case management functionality doubles as an incident log, where any suspicious activity or compliance incident is logged, investigated, and resolved. Each case can capture notes, the actions taken, and outcomes, creating a rich log for audit purposes. All these actions are time-stamped and attributable to specific users, providing a full audit trail of risk management activities. The ability to tag and categorize incidents also means you can generate reports on incident frequency, types, and mitigation status. Furthermore, Flagright can produce risk heatmaps and other visualizations from the data, effectively generating the “risk map” that BoL expects institutions to maintain. These heatmaps can show, for instance, the distribution of customers across risk levels or trends in transaction risk ratings over time, which helps in board reporting and strategic discussions.
• Real-time monitoring, anomaly detection, and decisioning: At the heart of Flagright is a powerful real-time transaction monitoring engine. The platform ingests data from your transactions, customer onboarding, payments, etc., as they happen, and applies risk rules or machine learning models instantaneously. This means Flagright can detect anomalies or red flags in real time, far more effective than end-of-month manual checks. For example, if a transaction pattern looks suspicious or a customer’s behavior suddenly spikes in risk, Flagright will flag it immediately for review or even auto-block it if that’s your chosen action. This continuous vigilance is exactly what regulators want to see: that institutions are not waiting for problems to blow up, but rather catching them early through automated systems. Flagright’s use of AI and pattern recognition adds an extra layer of intelligence, adapting to new threat typologies as they emerge. Moreover, all this is configurable: you can set the sensitivity of detection, define what constitutes an alert, and update these settings as your risk profile changes. The platform also supports automated decisioning workflows – for instance, automatically escalating a high-risk alert to compliance officers, or auto-approving low-risk events – which helps teams manage workload while staying responsive to risk. In terms of the BoL guidelines, this fulfills the requirement for continuous risk monitoring and timely management reporting, because Flagright can be configured to produce daily or weekly summaries of risk indicators and to send alerts to management for material issues.
• Fostering risk culture via dashboards & collaboration: Flagright isn’t just a back-end engine; it also features intuitive dashboards and collaboration tools that can help instill a risk-aware culture in your team. Dashboards can be customized for different roles, for example, an executive dashboard might show key risk indicators, top emerging risks, and compliance KPI trends, whereas an analyst’s dashboard might show active alerts and case statuses. By making risk information highly visible and readily accessible across the organization, Flagright encourages all departments to engage with it. Team members from compliance, fraud, operations, and even product teams can have access (with proper permissions) to see relevant risk insights, breaking down silos. The platform supports commenting and notes on cases, so analysts and managers can collaborate on investigations within Flagright rather than in scattered emails. There’s even integration capability with communication tools (like Slack or email notifications), which means important risk updates can be pushed to the channels your teams already use. While Flagright may not replace a training management system, it can indirectly support training efforts by logging user activity (useful for showing regulators which staff have been active in managing alerts, for example) and by serving as a reference during training sessions (new analysts can learn by exploring past cases and decisions in Flagright). Overall, having a unified platform where everyone “plugs into” risk management promotes the kind of all-hands participation that BoL’s risk culture guidance envisions. It helps make risk management a living, breathing part of day-to-day work, not just the compliance team’s concern.
• Flexible & customizable (Alignment with proportionality principle): A cornerstone of Flagright’s value is its extreme flexibility. Every fintech is different, and as the proportionality principle dictates, each should calibrate its risk management to its unique risk profile and scale. Flagright allows extensive customization to fit those unique needs. You can create custom risk scoring models (choosing which factors to include and how to weight them), define your own risk categories, set tailor-made alert rules, and even integrate external data sources that are relevant to your risk assessments. All of this can be done through a user-friendly interface, without coding, meaning you can adapt quickly as circumstances change. If regulators raise the bar on a certain risk (say, they issue new guidance on crypto transaction monitoring), you can rapidly adjust your controls in Flagright to comply. If your company pivots to a new business line, you can clone and tweak existing risk rules to cover the new scenario. This flexibility directly supports the guidelines’ call for proportionality, Flagright can be as simple or as sophisticated as needed, scaling up in complexity when the business warrants it. Smaller institutions can start with out-of-the-box default rules (ensuring quick compliance readiness), while larger or high-risk institutions can leverage the platform’s advanced features to construct a very granular risk management system. And importantly, as a cloud-based solution, Flagright continuously updates its capabilities (for example, adding new analytics or integrating updated regulatory lists), which means institutions benefit from the latest tools without having to overhaul their system. It’s a future-proof approach that aligns with the regulators’ expectation that fintechs keep pace with risk management best practices.

In sum, Flagright’s platform was practically tailor-made for a principles-based, risk-oriented regulatory environment. It gives fintechs the power to meet stringent risk management standards in a way that is efficient and scalable. Rather than juggling multiple point solutions or relying on manual processes that don’t grow well, institutions can use Flagright as an end-to-end solution that covers everything from customer risk scoring and transaction monitoring to case management and reporting. This comprehensive coverage is exactly what’s needed to address the holistic view regulators are taking, where AML, fraud, operational risk, and overall governance all intersect in a coherent risk management framework. With Flagright, a compliance officer can confidently say: “We have our risk under control at every level, from technology to culture.”

Conclusion: Embrace the Future of Risk Management

The Bank of Lithuania’s new guidelines set a progressive, thoughtful course for risk management, one that emphasizes principles, cultural values, and scalability. Compliance officers should see this not as merely new boxes to tick, but as an opportunity to build more resilient and effective risk frameworks within their companies. As we’ve explored, technology will be a critical enabler in this journey. Flagright stands out as a comprehensive solution that not only meets these regulatory expectations but also empowers institutions to derive business value from superior risk management.

In a financial world that is moving fast (with new fintech innovations, evolving threats like fraud and cybercrime, and expanding regulatory demands), having a partner like Flagright means you can move fast safely. You can confidently implement a principles-based approach, knowing the platform will handle the complexity behind the scenes. You can scale your business without worrying that your risk controls will fall behind. And you can foster a culture where every team member is risk-conscious, supported by data and tools that make their job easier.

For fintech companies eyeing the Lithuanian market, aligning with BoL’s expectations from day one can be a competitive advantage, it builds trust with regulators, banking partners, and customers. Flagright can help you achieve that alignment efficiently. For those already in the market, now is the time to assess your risk management maturity and plan for enhancements before the January 2026 deadline. Consider how a modern platform could fill the gaps in your current process, reduce manual workloads, and provide the real-time insight that regulators (and you) want to have.

Ready to shape a principles-based risk management future for your institution? Discover how Flagright can be the catalyst for that transformation. Book a demo with our team today and see firsthand how Flagright’s agile risk engine and full-stack compliance platform can elevate your risk management to meet the new era of regulatory expectations, and drive your business confidently into the future.