Compliance Services for Fintech Companies in Lithuania

AT A GLANCE

AML/KYC compliance is a legal obligation for every Lithuanian fintech company — not an optional enhancement — under the Lithuanian Law on the Prevention of Money Laundering and Terrorist Financing.
The Bank of Lithuania and the FNTT actively supervise compliance frameworks through on-site examinations and off-site monitoring — a weak or undocumented framework is a direct risk to the licence.
We provide compliance services across six areas: AML/KYC framework design, MLRO function, transaction monitoring, sanctions screening, compliance testing, and examination preparation.
All compliance work is delivered by specialists with direct experience in Bank of Lithuania-regulated entities — not by general lawyers applying principles from other jurisdictions.
Fixed-fee engagements are available for defined compliance projects; ongoing compliance programme management and the outsourced MLRO function are quoted on request based on scope.

Compliance services for a Lithuanian fintech company cover the design, implementation, and ongoing management of the AML/KYC framework required by Lithuanian law and the Bank of Lithuania’s supervisory expectations. This includes drafting the AML policy and compliance programme, establishing the MLRO function, designing customer due diligence and transaction monitoring procedures, implementing sanctions screening, conducting periodic compliance testing, and preparing the company for Bank of Lithuania supervisory examinations. We provide these services as standalone engagements or as an ongoing outsourced compliance function — covering companies at pre-licence, mid-application, and fully licensed stages.

The AML Compliance Obligation for Lithuanian Fintech Companies

Every Lithuanian fintech company subject to AML legislation — which includes all Bank of Lithuania-licensed entities and VASP-registered companies — must maintain an active AML/KYC compliance programme. This is not a matter of best practice; it is a statutory obligation under the Lithuanian Law on the Prevention of Money Laundering and Terrorist Financing (Pinigų plovimo ir teroristų finansavimo prevencijos įstatymas), which implements the EU’s Anti-Money Laundering Directives (AMLD).

The scope of the obligation is specific: every obliged entity must conduct customer due diligence on all clients, maintain transaction monitoring to identify suspicious activity, screen against applicable sanctions lists, file suspicious transaction reports (STRs) with the Financial Crime Investigation Service (FNTT), maintain records for a minimum of five years, and train relevant staff in AML requirements at least annually. Non-compliance — whether through absence of procedures, inadequate documentation, or failure to file STRs — is a regulatory offence carrying administrative sanctions up to the greater of €5,000,000 or 10% of annual turnover for legal entities.

Who is an obliged entity under Lithuanian AML law

Electronic money institutions (EMIs) and payment institutions (PIs) licensed by the Bank of Lithuania
MiCA-authorised crypto-asset service providers (CASPs)
VASP-registered virtual asset service providers
Investment firms licensed under MiFID II
Crowdfunding platform operators licensed under the ECSP Regulation
Consumer credit institutions
Any company providing currency exchange services as a principal activity

Pre-licence compliance

AML compliance obligations begin before the licence is granted — not after. The Bank of Lithuania will not issue an EMI, PI, or MiCA licence to a company that does not have a documented AML/KYC compliance programme in place at the time of application. The compliance framework must be operational, not aspirational. Applications submitted with generic AML policies that do not reflect the company’s specific business model and customer base are routinely returned by the regulator with information requests.

What the Bank of Lithuania Expects from a Compliance Framework

The Bank of Lithuania’s AML supervisory expectations are set out in its guidelines and are based on the EBA’s AML/CFT supervisory guidelines and the FATF recommendations. Understanding what the regulator looks for during a supervisory examination is the starting point for building a framework that will withstand scrutiny.

Compliance Element	Bank of Lithuania Expectation	Common Examination Finding
AML/CFT Policy	Tailored to the specific business model, customer base, and risk profile — not a generic template	Policy does not reflect actual business activities; references services the company does not offer
Business-wide risk assessment	Documented ML/TF risk assessment reviewed and updated at least annually	Risk assessment is absent, outdated, or not linked to the customer risk scoring methodology
Customer risk scoring	A documented, consistently applied methodology for classifying customers by ML/TF risk	Risk scores are assigned manually without a documented methodology; inconsistent application across the team
CDD procedures	Step-by-step procedures for standard and simplified CDD, with clear triggers for enhanced CDD	CDD procedures exist in policy but are not implemented as operational checklists staff actually use
EDD for high-risk clients	Documented EDD process for PEPs, high-risk jurisdictions, and complex ownership structures	EDD is applied inconsistently; PEP screening results are not documented in the client file
Transaction monitoring	Active monitoring system with documented typologies, alert thresholds, and investigation procedures	Alert closure without documented investigation rationale; no evidence of senior review for escalated alerts
MLRO function	Designated MLRO with documented authority, direct board access, and adequate resources	MLRO role held by person with insufficient AML experience; no documented reporting line to the board
STR filing	Timely, complete STR filings with the FNTT when suspicion is identified	STRs filed late or not at all; internal suspicious activity reports not escalated to MLRO
Staff training	Annual AML training for all relevant staff, with documented attendance and competency testing	Training is informal or undocumented; no records of what was covered or who attended
Record retention	All CDD records, transaction data, and STR filings retained for minimum 5 years	Records stored inconsistently; document retention policy not aligned with AML requirements

Our Compliance Services for Fintech Companies

We provide compliance services across six areas, covering the full lifecycle of a fintech company’s AML/KYC obligations — from building the framework before the licence application through to ongoing programme management and examination preparation.

AML/KYC Framework Design and Implementation
The foundation of every fintech compliance programme is the AML/KYC framework — the set of policies, procedures, and controls that determine how the company identifies, assesses, and manages money laundering and terrorist financing risk. We design and implement AML/KYC frameworks that are tailored to the specific business model, customer base, and risk profile of each fintech client — not adapted from a generic template. The framework is built to satisfy the Bank of Lithuania’s licence application requirements and to withstand supervisory examination after the licence is granted.

Business-wide ML/TF risk assessment — identifying and scoring the specific risks of the company’s activities, geographies, and customer types
AML/CFT Compliance Programme — the master policy document defining the company’s full anti-money laundering framework
Customer Acceptance Policy — defining risk appetite, prohibited categories, and the basis for customer acceptance or rejection decisions
Customer risk scoring methodology — a documented, consistent approach to classifying customers from low to high ML/TF risk
Standard CDD procedures — step-by-step onboarding workflows for individual and corporate clients
Simplified CDD procedures — for low-risk customer categories where simplified measures apply under Lithuanian law
Enhanced Due Diligence (EDD) procedures — for PEPs, high-risk jurisdictions, complex structures, and other elevated-risk scenarios
Ongoing monitoring procedures — periodic review of existing client relationships and trigger-based re-KYC

MLRO Function — Outsourced and Advisory
The Money Laundering Reporting Officer (MLRO) is the individual legally responsible for receiving internal suspicious activity reports, deciding whether to file Suspicious Transaction Reports (STRs) with the FNTT, and acting as the primary point of contact for AML supervisory matters. The MLRO must be adequately qualified, given sufficient authority, and protected from interference in the performance of their duties. We provide the MLRO function in two forms: fully outsourced — where we act as the named MLRO — and advisory — where we support an in-house MLRO with specialist guidance.

Outsourced MLRO — named individual designated as the company’s MLRO for Bank of Lithuania purposes
Internal SAR assessment — reviewing internal suspicious activity reports and making the filing decision
STR preparation and submission to the FNTT — within the statutory timeframe
FNTT liaison — responding to FNTT enquiries, information requests, and freeze orders
MLRO reporting to the board — regular compliance reports on SAR volumes, STR filings, and AML risk trends
Advisory MLRO support — supporting an in-house MLRO with specialist guidance on complex cases and regulatory interpretations
MLRO transition management — where a company is transitioning between MLROs and needs continuity coverage

Outsourced MLRO — what the Bank of Lithuania requires

The Bank of Lithuania permits the MLRO role to be outsourced, provided: the outsourcing arrangement is documented in a written agreement; the MLRO has direct access to all client data and transaction records; the licensed entity retains full accountability for AML compliance; and the arrangement is notified to the Bank of Lithuania. We prepare the required outsourcing agreement and notification as part of every outsourced MLRO engagement. The outsourced MLRO is available during Lithuanian business hours and responds to urgent STR decisions within 24 hours.

Transaction Monitoring Framework
Transaction monitoring is the operational core of an AML compliance programme — the continuous process of reviewing customer transactions to identify patterns that may indicate money laundering, terrorist financing, or sanctions evasion. An effective transaction monitoring framework requires documented typologies, calibrated alert thresholds, a defined investigation workflow, and a clear escalation path to the MLRO. We design, implement, and review transaction monitoring frameworks for fintech companies across payment, crypto, and lending sectors.

Transaction monitoring typologies — documented patterns and red flags specific to the company’s business model
Alert threshold calibration — setting thresholds that generate actionable alerts without creating alert fatigue
Alert investigation procedures — step-by-step workflow for handling, investigating, and closing or escalating alerts
Escalation to MLRO — documented escalation path for alerts that cannot be resolved at the analyst level
System selection advisory — assessing automated transaction monitoring tools appropriate for the company’s volume and budget
Model validation — periodic review of the transaction monitoring model to confirm it remains effective as the business evolves
Typology update service — annual review and update of typologies to reflect current FNTT and EBA guidance

Sanctions Screening
Sanctions compliance is separate from AML compliance — but equally mandatory for Lithuanian fintech companies. Every obliged entity must screen clients and transactions against applicable sanctions lists before onboarding and on an ongoing basis. The applicable lists for Lithuanian entities include EU consolidated sanctions, UN sanctions, OFAC (US) sanctions where US-dollar transactions are involved, and the FNTT’s domestic list. A breach of EU sanctions — even inadvertent — carries criminal liability in Lithuania. We design and implement sanctions screening frameworks and provide ongoing screening compliance support.

Sanctions screening policy — defining the lists screened, the screening frequency, and the hit resolution procedure
Onboarding screening procedures — name screening at client onboarding against all applicable sanctions lists
Ongoing screening procedures — periodic re-screening of the existing client base when sanctions lists are updated
Transaction screening procedures — real-time or batch transaction screening for sanctioned counterparties
False positive management — documented procedure for assessing and resolving screening hits that are not true matches
Escalation and freeze procedures — what to do when a true sanctions match is identified; FNTT notification requirements
Sanctions screening tool selection — advisory on commercially available screening tools appropriate to the company’s scale
Sanctions compliance training — staff training on EU sanctions obligations and the practical screening workflow

Compliance Testing and Gap Analysis
A compliance framework that exists on paper but is not followed in practice does not satisfy the Bank of Lithuania. The gap between documented procedures and actual operations is the most common finding in AML supervisory examinations. Compliance testing — structured, periodic assessment of whether documented controls are being applied consistently — is the mechanism for identifying and closing that gap before the regulator does. We conduct compliance testing for fintech companies as a standalone engagement and as part of ongoing compliance programme management.

AML programme gap analysis — comprehensive review of the existing compliance framework against current Bank of Lithuania expectations
CDD file quality review — sampling and scoring of client onboarding files against the documented CDD procedures
Transaction monitoring effectiveness testing — reviewing alert data to assess whether the monitoring model is performing as intended
MLRO function assessment — reviewing the quality and timeliness of SAR assessments and STR decisions
Staff AML knowledge testing — assessing whether relevant staff have adequate AML knowledge through structured testing
Remediation planning — prioritised action plan addressing the gaps identified in the testing exercise
Pre-examination readiness assessment — structured review of all compliance elements ahead of a scheduled Bank of Lithuania examination

Bank of Lithuania Examination Preparation
A Bank of Lithuania AML supervisory examination is a significant event for any licensed fintech entity. Examiners review written policies, sample client files, examine transaction monitoring records, and interview the MLRO and compliance officer. The outcome — satisfactory, with recommendations, or with formal findings — affects the company’s regulatory standing and can result in conditions, fines, or in serious cases, licence suspension. We prepare companies for supervisory examinations by reviewing the complete compliance framework, identifying and remediating gaps, and coaching key personnel on what to expect.

Pre-examination compliance review — full assessment of the compliance programme against known Bank of Lithuania examination criteria
Document organisation and preparation — structuring the compliance documentation for examiner review
CDD file remediation — identifying and addressing deficiencies in client onboarding files before examiners review them
Transaction monitoring record review — ensuring alert investigation records are complete and defensible
MLRO preparation — coaching the MLRO and compliance officer on examination interviews and question handling
Mock examination — simulated examination exercise to identify remaining gaps under examination conditions
Post-examination response support — drafting responses to examination findings and preparing remediation plans

Compliance at Each Stage of the Fintech Lifecycle

Compliance obligations do not begin when the licence is granted — they begin when the company decides to apply. Understanding what is required at each stage prevents the most common compliance delays.

Pre-application (3–4 months before filing)The AML/CFT Compliance Programme, Customer Acceptance Policy, CDD procedures, transaction monitoring framework, and sanctions screening policy must all be in final form before the application is submitted. The Bank of Lithuania reviews these documents as part of the licence application and will return an incomplete application. We prepare the full compliance documentation package and conduct a final review before the application is filed.

Application stage (during Bank of Lithuania review)The Bank of Lithuania typically asks questions about the AML framework during the review period — particularly about the risk assessment methodology, the CDD procedures for higher-risk customer categories, and the transaction monitoring approach. We draft the compliance responses and prepare any supplementary documentation requested by the regulator.

Post-licence launchWhen the licence is granted and operations begin, the compliance programme moves from documented to operational. The MLRO function is activated, transaction monitoring begins, client onboarding follows the documented CDD procedures, and the screening process is applied from the first client. We support the operational activation of the compliance programme and confirm that all procedures are working as designed before the first client is onboarded.

Ongoing operationsAn AML compliance programme is not static. Customer risk profiles change, regulatory requirements are updated, new typologies emerge, and the business model evolves. We provide ongoing compliance programme management — monthly MLRO support, quarterly compliance reviews, annual risk assessment updates, and regulatory change monitoring — keeping the programme current and effective throughout the company’s operating life.

First supervisory examinationMost licensed entities face their first Bank of Lithuania AML examination within 18–24 months of receiving a licence. We prepare companies for this examination through a structured pre-examination review, document organisation, and personnel coaching. We also support the response to any examination findings and the preparation of remediation plans where required.

Compliance Services Pricing

Defined compliance engagements are priced at fixed fees. Ongoing compliance programme management and the outsourced MLRO function are quoted on request based on the company’s transaction volumes, client base complexity, and the scope of support required. There are no hourly charges for standard compliance work within the agreed scope.

Service	Price
Business-wide ML/TF risk assessment Tailored to business model, customer types, and geographies	€800
AML/CFT Compliance Programme Full master AML policy document — tailored, not templated	€1,200
Customer Acceptance Policy Including risk appetite, prohibited categories, and EDD triggers	€600
Customer risk scoring methodology Documented methodology with scoring criteria and thresholds	€500
Standard CDD procedures (individual + corporate) Operational checklists for both natural and legal person onboarding	€700
Enhanced Due Diligence (EDD) procedures PEPs, high-risk jurisdictions, and complex ownership structures	€800
Full AML framework package (risk assessment + policy + CAP + CDD + EDD) Bundled — saving of €600 vs. individual items	€3,200
Outsourced MLRO function Monthly retainer — based on company size and expected SAR/STR volume	On request
Advisory MLRO support Supporting an in-house MLRO; per-quarter or monthly engagement	On request
One-off MLRO consultation (complex case) Per session — for specific SAR assessment or regulatory interpretation	€600
Transaction monitoring framework design Typologies, thresholds, investigation procedures, and escalation path	€900
Transaction monitoring model review Annual validation of existing model effectiveness	€1,200
Typology update — annual Updated typologies aligned with current FNTT and EBA guidance	€1,400
Sanctions screening policy Covering EU, UN, OFAC lists; hit resolution procedure included	€900
Sanctions compliance training (up to 15 staff) Structured training session with documentation and attendance records	€5,000
AML programme gap analysis Comprehensive review against Bank of Lithuania examination criteria	€1,500
CDD file quality review (sample of 30 files) Scored review with remediation recommendations	€1,600
Pre-examination readiness assessment Full compliance review ahead of a scheduled Bank of Lithuania examination	€1,800
Post-examination response and remediation plan Based on number and severity of examination findings	On request
Ongoing compliance programme management Monthly retainer — quarterly reviews, annual risk assessment, regulatory updates	On request
AML staff training (annual, up to 20 staff) Full-day training with competency testing and attendance records	€7,000

Full AML framework package — €3,200

The full AML framework package bundles the five core compliance documents a fintech company needs for its licence application: the business-wide risk assessment, the AML/CFT Compliance Programme, the Customer Acceptance Policy, the customer risk scoring methodology, and the CDD and EDD procedures. These documents are prepared as an integrated set — internally consistent, tailored to the company’s specific business model, and formatted for Bank of Lithuania submission. Commissioning these separately would cost €3,800. The package saves €600 and eliminates the risk of inconsistencies between documents prepared independently.

Frequently Asked Questions

Before the licence application is submitted — not after the licence is granted. The Bank of Lithuania requires the complete AML/CFT Compliance Programme, Customer Acceptance Policy, and CDD procedures to be in final form as part of the licence application package. Applications submitted without complete compliance documentation are returned as incomplete. The compliance framework must also be operational from the first day of client onboarding under the licence — not a work in progress. We build the compliance programme during the pre-application preparation phase, typically 2–3 months before the application is filed.

Yes, subject to specific conditions. The Bank of Lithuania permits the MLRO role to be outsourced, provided the arrangement is documented in a written outsourcing agreement that meets EBA outsourcing guidelines, the MLRO has direct and unrestricted access to all client data and transaction records, the licensed entity remains fully accountable for AML compliance, and the outsourcing arrangement is notified to the Bank of Lithuania. We structure all outsourced MLRO engagements to satisfy these requirements and provide the required notification documentation. The outsourced MLRO responds to STR decisions within 24 hours and is available for Bank of Lithuania contact during Lithuanian business hours.

Standard Customer Due Diligence (CDD) involves identifying and verifying the client’s identity, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring. Enhanced Due Diligence (EDD) applies to higher-risk clients and requires additional measures beyond standard CDD: obtaining more detailed information about the source of funds, the purpose of specific transactions, the beneficial ownership structure, and — for PEPs — the source of wealth. EDD also requires senior management approval before the relationship is established and more frequent ongoing monitoring. The triggers for EDD are defined in the Customer Acceptance Policy and include: politically exposed persons (PEPs), clients from high-risk jurisdictions on the FATF or EU lists, complex ownership structures, and unusually large or complex transactions without obvious commercial purpose.

An STR (Suspicious Transaction Report) is a formal report filed with the FNTT (Financial Crime Investigation Service) when the MLRO has reasonable grounds to suspect that a transaction or a client relationship involves money laundering or terrorist financing. The obligation to file arises when the MLRO’s assessment of an internal suspicious activity report concludes that there are reasonable grounds for suspicion — regardless of the amount involved. There is no de minimis threshold. The STR must be filed before any transaction is executed if circumstances allow, or immediately after if prior filing was not possible. Filing an STR does not constitute tipping off — providing accurate information to the FNTT in good faith is explicitly protected by Lithuanian law.

The Bank of Lithuania’s examination frequency for AML purposes depends on the risk classification it assigns to each licensed entity. Higher-risk entities — those with more complex business models, higher transaction volumes, or elevated-risk customer bases — are examined more frequently than lower-risk entities. Most licensed entities can expect their first AML examination within 18–24 months of licensing. Subsequent examinations are typically scheduled every 2–4 years for lower-risk entities and annually for higher-risk ones. Examination triggers can also include off-site monitoring findings, client complaints, or media coverage of potential compliance failures.

The Bank of Lithuania’s response to AML examination findings ranges in severity depending on the nature of the deficiency. Minor findings result in recommendations — written observations that the entity is expected to address within a specified timeframe. Significant findings result in formal supervisory measures — instructions or conditions attached to the licence requiring specific remediation actions. Serious or persistent deficiencies result in administrative sanctions: fines (up to €5,000,000 or 10% of annual turnover), public reprimand, or — in extreme cases — licence suspension or revocation. We support companies in responding to examination findings and preparing remediation plans that demonstrate genuine corrective action to the regulator.

Yes, for two reasons. First, the AML/CFT Compliance Programme is a required component of the licence application — the Bank of Lithuania will not accept an application without it. Second, if the pre-licence company is already generating revenue from any activity that falls within the definition of a virtual asset service or other regulated activity, it may already be an obliged entity under Lithuanian AML law, even without a formal licence. Any company that is already operating in a regulated space — even informally — should have its compliance programme in place before it takes on any clients or processes any transactions.

Ready to build or review your compliance programme?

Contact us Contact us to discuss your company’s compliance status and the services you need. We will assess your current framework, identify the priority gaps, and provide fixed-fee quotes for defined work within 24 hours. We work with pre-licence companies, companies preparing for examination, and licensed entities that need ongoing compliance support.