Compliance Documentation Drafting for Fintech Companies in Lithuania

AT A GLANCE

Compliance documentation is what turns a compliance policy into an operational reality — it is the step-by-step procedures, decision trees, and checklists that staff actually use when onboarding clients, handling alerts, and filing reports.
The Bank of Lithuania reviews documentation quality directly during supervisory examinations — the gap between stated policies and actual operational procedures is the most common examination finding across all licence types.
We draft the complete compliance documentation suite for Lithuanian fintech companies — from the AML/CFT Compliance Programme and KYC onboarding procedures through to DORA ICT policies and sanctions screening workflows.
All documents are tailored to the specific business model, customer base, and licence type — not adapted from generic templates designed for different business types or jurisdictions.
Documentation is available as individual documents at fixed fees, or as bundled packages covering the full set required for a licence application or a post-examination remediation.

Compliance documentation drafting means producing the written procedures, policies, and operational guides that a Lithuanian fintech company must have in place to satisfy its regulatory obligations and pass Bank of Lithuania supervisory examination. A policy document states what the company does. A procedure document tells staff exactly how to do it — step by step, with decision criteria, escalation paths, and record-keeping requirements. The Bank of Lithuania reviews both. We draft both, tailored to the specific business model and licence type of each client, at fixed fees per document and in discounted bundles for the complete sets required at specific regulatory milestones.

Policy vs. Procedure: Why Both Matter

The most common misunderstanding in fintech compliance is treating policy documents and operational procedures as interchangeable. They are not — and the Bank of Lithuania’s supervisory examiners treat them as distinct artefacts that serve different purposes.

What a policy document does

A policy document states the company’s commitment, principles, and high-level framework. An AML policy states that the company will conduct customer due diligence, maintain transaction monitoring, and file STRs when required. It defines the risk appetite, the governance structure, the roles responsible for compliance, and the consequences of non-compliance. The policy is typically approved by the board and reviewed annually. It is the document a Bank of Lithuania examiner reads first to understand what the company says it does.

What a procedure document does

A procedure document — also called a standard operating procedure (SOP) or work instruction — tells a specific member of staff exactly how to perform a specific task. A KYC onboarding procedure tells the analyst which documents to collect from an individual client, in what order, what to do when a document is missing, how to score the client’s risk level, and where to record the outcome. It contains decision trees, checklists, and escalation paths. A procedure is what the analyst opens when onboarding a client on a Monday morning — not the policy document, which they may have read once at induction.

What happens when the procedure is missing

A company with a well-drafted AML policy but no operational procedures is a company that has described its intentions without building the mechanism to deliver them. When a Bank of Lithuania examiner reviews 30 client onboarding files and finds that the CDD documents collected are inconsistent — some clients have source of funds documentation, others do not; some PEP checks are documented, others are not — the finding is not that the company has a bad policy. The finding is that the policy is not implemented. The operational procedure is what makes implementation consistent. Without it, each analyst makes their own decisions about what good enough looks like.

What examiners actually review

During a Bank of Lithuania AML supervisory examination, examiners typically: read the AML/CFT Compliance Programme and Customer Acceptance Policy (policy level); sample 20–40 client onboarding files and assess them against the documented CDD procedures (procedure level); review transaction monitoring alert records and look for documented investigation rationale (procedure level); interview the MLRO and compliance officer about their procedures (knowledge level). The examination tests whether the procedures exist, whether they are adequate, and whether they are actually followed. All three levels must be present.

Compliance Documents We Draft

The following document library covers the full compliance documentation suite for a Lithuanian fintech company — from core AML documents through to DORA ICT policies and data protection procedures. Each document is drafted individually at a fixed fee or as part of a bundled package.

AML/CFT Compliance ProgrammeWhat it covers: The master policy document covering the company’s full anti-money laundering framework — governance, risk appetite, roles and responsibilities, and the high-level description of all compliance controls.

Company’s regulatory obligations under Lithuanian AML law and applicable EU Directives
ML/TF risk appetite statement — the company’s defined tolerance for money laundering and terrorist financing risk
Governance structure — the board’s, senior management’s, and MLRO’s respective roles and responsibilities
Overview of all AML controls — CDD, EDD, transaction monitoring, sanctions screening, STR filing, and record retention
Staff responsibilities — what is expected from every employee in relation to AML compliance
Consequences of non-compliance — internal disciplinary consequences and regulatory reporting obligations
Annual review mechanism — how and when the programme is reviewed and updated
Reference to all supporting procedure documents — the AML programme is the top-level document; procedures sit below it

Customer Acceptance Policy (CAP)What it covers: Defines which customers the company will accept, which it will decline, and which require elevated scrutiny before acceptance — the company’s codified risk appetite at the customer level.

Acceptable customer categories — the types of clients the company serves and the basis for their acceptance
Prohibited customer categories — explicitly prohibited client types (e.g., customers from sanctioned jurisdictions, shell companies with no identifiable UBO)
High-risk customer categories — clients who require EDD before acceptance, including PEPs, high-risk jurisdiction nationals, and complex ownership structures
Senior management approval requirements — customer categories that cannot be accepted without explicit senior approval
Geographic restrictions — countries and jurisdictions from which the company will not accept clients
Business activity restrictions — types of business activity that the company will not serve
Customer re-evaluation triggers — events that require an existing customer’s acceptance status to be reassessed

KYC Onboarding ProceduresWhat it covers: Step-by-step operational procedures for identifying and verifying individual and corporate clients — the document analysts follow when onboarding each client type.

Individual (natural person) onboarding procedure — identity verification, address verification, PEP screening, sanctions check, risk scoring
Corporate (legal entity) onboarding procedure — corporate document collection, UBO identification, control structure mapping, beneficial ownership verification
Document collection checklists — specific documents required for each client type and jurisdiction
Risk scoring worksheet — the step-by-step calculation of the client’s ML/TF risk score based on defined criteria
Decision matrix — what to do with the risk score: accept, escalate to EDD, refer to MLRO, or decline
Record-keeping requirements — where to store onboarding documents, in what format, for how long
Re-KYC trigger list — events that require an existing client to go through the onboarding procedure again

Enhanced Due Diligence (EDD) ProceduresWhat it covers: Procedures for conducting enhanced scrutiny on high-risk clients — PEPs, clients from high-risk jurisdictions, and complex ownership structures — beyond the standard CDD workflow.

PEP identification and screening procedure — how to identify PEPs, which databases to use, and how to document the result
PEP EDD requirements — the specific additional information required for a PEP client (source of wealth, source of funds, purpose of relationship)
High-risk jurisdiction procedure — additional checks required for clients from FATF-listed or EU high-risk countries
Complex ownership structure procedure — how to trace beneficial ownership through multi-layer corporate structures
Senior management approval workflow — the documented process for obtaining approval before accepting an EDD client
EDD monitoring requirements — more frequent transaction monitoring thresholds and periodic review intervals for EDD clients
EDD file documentation standard — what a complete EDD client file must contain for examination purposes

Transaction Monitoring ProceduresWhat it covers: Operational procedures for the transaction monitoring function — from alert generation through investigation to MLRO escalation or closure.

Alert triage procedure — how to categorise incoming alerts by urgency and risk level
Alert investigation workflow — step-by-step investigation process including client context review, transaction analysis, and pattern assessment
Typology reference guide — documented ML/TF typologies relevant to the company’s business model, used to contextualise alerts
Escalation criteria — objective criteria for when an alert must be escalated to the MLRO rather than closed by the analyst
Alert closure documentation standard — what must be recorded when an alert is closed without escalation
MLRO referral memo template — the format in which analysts document and communicate escalated alerts to the MLRO
Quality control procedure — how the compliance officer reviews closed alerts for procedural compliance
Model review trigger — events that require the transaction monitoring model thresholds or typologies to be reviewed

Sanctions Screening ProceduresWhat it covers: Step-by-step procedures for screening clients and transactions against applicable sanctions lists — and for handling the hits that the screening system generates.

Screening lists reference — the specific sanctions lists screened (EU, UN, OFAC, and FNTT domestic list) with update frequency
Onboarding screening procedure — how and when to screen new clients before account activation
Ongoing screening procedure — how to handle automated rescreening when sanctions lists are updated
Transaction screening procedure — real-time or batch screening of payment counterparties
Hit review procedure — the documented process for assessing whether a screening hit is a true match or a false positive
False positive documentation standard — what must be recorded when a hit is confirmed as a false positive
True match escalation procedure — immediate steps when a true sanctions match is confirmed; account freeze and FNTT notification
Sanctions training note — brief reference guide for staff on what sanctions compliance means and what to do when a name appears suspicious

Internal STR Reporting and MLRO ProceduresWhat it covers: The procedures governing how staff report suspicious activity internally to the MLRO — and how the MLRO assesses those reports and decides whether to file an STR with the FNTT.

Internal SAR reporting procedure — how employees report suspicions to the MLRO (form, channel, timeframe)
Internal SAR form template — the standardised form employees complete when reporting a suspicion
MLRO assessment procedure — how the MLRO evaluates an internal SAR and reaches a filing decision
MLRO decision documentation standard — what the MLRO must record regardless of whether an STR is filed
STR filing procedure — how to prepare and submit an STR to the FNTT through the AML system
Tipping-off prohibition — instructions to all staff on why the suspicion must not be disclosed to the subject
FNTT enquiry response procedure — how to handle and respond to FNTT information requests
MLRO monthly reporting template — the format in which the MLRO reports to the compliance officer and board

Data Retention and Record-Keeping PolicyWhat it covers: Defines what compliance records must be retained, for how long, in what format, and how they must be made available to the regulator — aligned with both AML minimum retention requirements and GDPR.

AML record retention schedule — minimum 5-year retention for CDD documents, transaction records, and STR filings
GDPR retention alignment — reconciling AML retention obligations with GDPR data minimisation and storage limitation principles
Record format requirements — what constitutes an adequate record for examination purposes (completeness, legibility, authenticity)
Storage and access controls — who can access compliance records, under what conditions
Regulator access procedure — how to respond to Bank of Lithuania or FNTT requests for records, within the required timeframe
Record destruction procedure — how and when records are destroyed after the retention period expires
Retention register — the master document listing all compliance record categories with their retention periods

ICT Risk Management Framework (DORA)What it covers: For licensed entities subject to the Digital Operational Resilience Act (DORA) — applicable to all Lithuanian EMIs, PIs, MiCA-authorised companies, and investment firms from January 2025 — an ICT risk management framework and related procedures are mandatory.

ICT risk management policy — governance of ICT risk, roles and responsibilities, and risk appetite for operational disruption
ICT asset register — inventory of all ICT systems and assets critical to the licensed activities
ICT risk assessment procedure — how to identify, assess, and score ICT risks across the technology infrastructure
ICT incident classification procedure — how to classify ICT incidents by severity and determine whether Bank of Lithuania reporting is required
Major ICT incident reporting procedure — the documented process for notifying the Bank of Lithuania of major ICT incidents
ICT third-party risk management procedure — how to assess and monitor critical ICT service providers
Business continuity and disaster recovery plan — documented response to ICT disruption affecting regulated activities
Digital operational resilience testing programme — the schedule and methodology for testing resilience annually

Outsourcing PolicyWhat it covers: Required for all licensed entities that outsource any function — defines governance of outsourcing arrangements, the register of outsourced functions, and how third-party performance is monitored.

Outsourcing governance framework — the board’s role in approving outsourcing arrangements and the criteria for classifying outsourcing as critical or important
Outsourcing register — a live record of all outsourced functions, providers, and contract terms
Due diligence procedure for outsourcing providers — how to assess a new provider before entering an outsourcing arrangement
Outsourcing agreement minimum terms — the contractual provisions required by EBA guidelines for every outsourcing agreement
Provider monitoring procedure — ongoing monitoring of outsourced provider performance and compliance
Concentration risk assessment — procedure for assessing and managing concentration risk across the outsourcing portfolio
Exit planning procedure — how to plan for and manage the exit from an outsourcing arrangement
Bank of Lithuania notification procedure — how to notify the regulator for critical or important outsourcing

Annual Compliance Review TemplateWhat it covers: A structured template for the annual review of the compliance programme — covering all AML/KYC controls, transaction monitoring effectiveness, STR filing record, and training completion.

Review scope and methodology — what the annual review covers and how it is conducted
AML policy review section — assessment of whether the policy remains current and fit for purpose
CDD file quality assessment — results of the file sampling exercise conducted as part of the review
Transaction monitoring effectiveness section — alert volumes, closure rates, escalation rates, and model performance
STR filing record section — number of SARs received, STRs filed, and trends versus prior year
Training completion section — confirmation of annual AML training completion across all relevant staff
Risk assessment refresh section — whether the business-wide risk assessment requires updating
Remediation tracker — outstanding actions from the prior year’s review and their completion status
Board presentation summary — a one-page executive summary of review findings for the board

Which Documents Are Required at Each Stage

The compliance documentation required at each stage of the fintech lifecycle differs — from the minimum set needed for a licence application through to the full operational suite once the company is licensed and supervised. The table below maps the key documents to the stage at which they become critical.

Document	Licence Application	Operational Launch	Annual Review	Exam Preparation
AML/CFT Compliance Programme	Required	Required	Updated	Reviewed
Customer Acceptance Policy	Required	Required	Updated	Reviewed
KYC Onboarding Procedures (individual)	Required	Operational	Updated	File sampled
KYC Onboarding Procedures (corporate)	Required	Operational	Updated	File sampled
EDD Procedures	Required	Operational	Updated	File sampled
Transaction Monitoring Procedures	Required	Operational	Updated	Alert records reviewed
Sanctions Screening Procedures	Required	Operational	Updated	Reviewed
Internal STR / MLRO Procedures	Required	Operational	Updated	STR record reviewed
Data Retention Policy	Required	Required	Updated	Reviewed
ICT Risk Framework (DORA)	—	Required	Updated	Reviewed
Outsourcing Policy	If applicable	Required	Updated	Register reviewed
Annual Compliance Review Template	—	—	Completed	Evidence

What Makes Compliance Documentation Adequate

Bank of Lithuania examiners assess compliance documentation against specific quality criteria. Understanding these criteria is the starting point for drafting documents that will withstand examination — rather than needing to be rewritten after the first supervisory visit.

Specificity — tailored to the business, not generic

An adequate procedure document is specific to the company’s actual business model and customer base. A KYC procedure written for a retail bank that has been adapted for a crypto exchange by changing the header is not adequate. The document must reference the actual customer types the company serves, the actual documents available in the markets the company operates in, and the actual risk factors relevant to the company’s transaction profile. Generic documents — which most compliance consultancies use — fail this test because they describe a theoretical company, not the actual one the examiner is looking at.

Operationality — can a new staff member follow it

An adequate procedure document should be operable by a competent but uninstructed analyst. It should not require the reader to exercise significant judgment to fill gaps. Decision points should be explicit — if a client presents a utility bill rather than a bank statement for address verification, does the procedure accept it? If a client’s risk score falls on a threshold between two categories, what happens? If an OFAC hit contains a common name with no date of birth match, how is it resolved? Documents that leave these questions unanswered produce inconsistent implementation — which is exactly what examiners find when they sample client files.

Internal consistency — all documents tell the same story

The AML programme describes the company’s controls at a high level. The Customer Acceptance Policy defines the risk appetite in terms of customer categories. The KYC procedures implement those categories operationally. The transaction monitoring procedures reference the risk scores generated by the KYC procedures. If these documents are prepared independently by different people or at different times, they frequently conflict — the risk categories in the CAP do not match the risk scoring criteria in the KYC procedures, or the EDD triggers in the policy differ from those in the procedure. We draft all documents as an integrated set to prevent this.

Currency — reflecting the actual current operations

A document that accurately described the company’s operations 18 months ago but has not been updated since a product launch, a technology change, or a team restructure is worse than having no document — because it tells the examiner that the company knows what it should be doing but has not been doing it. Documents must reflect the actual current state of operations. We include annual review cycles in every document and, for retainer clients, proactively flag when a business change requires a document update.

Compliance Documentation Pricing

All documents are priced at fixed fees — quoted per document or as bundled packages for common milestone sets. Documents are delivered in English in an editable format, ready for internal review, adoption, and filing. Lithuanian versions are provided for any document required by Lithuanian law to be in Lithuanian.

Document / Service	Price
AML/CFT Compliance Programme Full master AML policy document — tailored to business model and licence type	€2,200
Customer Acceptance Policy Including risk appetite statement, prohibited categories, and EDD triggers	€1,200
KYC Onboarding Procedure — individual clients Step-by-step operational procedure with document checklist and risk scoring worksheet	€1,000
KYC Onboarding Procedure — corporate clients Corporate onboarding procedure including UBO identification and complex structure mapping	€1,600
Enhanced Due Diligence (EDD) Procedure PEPs, high-risk jurisdictions, and complex ownership — with senior management approval workflow	€1,000
Transaction Monitoring Procedure Alert triage, investigation workflow, escalation criteria, and closure documentation standard	€900
Sanctions Screening Procedure Covering EU, UN, OFAC, and FNTT lists — with hit review and true match escalation workflow	€900
Internal STR Reporting and MLRO Procedures SAR form, MLRO assessment procedure, STR filing procedure, and FNTT liaison	€850
Data Retention and Record-Keeping Policy AML and GDPR-aligned retention schedule with regulator access procedure	€800
Annual Compliance Review Template Structured template covering all compliance programme elements; board summary included	€900
ICT Risk Management Framework (DORA) ICT risk policy, asset register template, incident classification, and BoL reporting procedure	€1,900
Business Continuity and Disaster Recovery Plan Documented response to ICT disruption for DORA compliance	€1,400
Outsourcing Policy Governance framework, outsourcing register, due diligence procedure, and EBA-compliant minimum contract terms	€900
Licence Application Bundle (AML Programme + CAP + KYC individual + KYC corporate + EDD + TM + Sanctions + STR) Complete documentation set for an EMI, PI, or MiCA licence application — saving of €850 vs. individual pricing	€4,600
Operational Launch Add-on (Retention Policy + Outsourcing Policy + DORA Framework) Three documents typically needed at operational launch — bundled at saving of €200	€1,600
Full documentation suite (all 12 documents) Complete compliance documentation library — saving of €1,650 vs. individual pricing	€6,500
Annual document review and update (per document) Reviewing an existing document against current BoL expectations and updating as required	€200–€400
Post-examination remediation (documentation) Rewriting or supplementing documents following specific Bank of Lithuania examination findings	On request
Document gap analysis Assessment of existing documentation against the full required set — identifying what is missing or inadequate	€800

Licence application bundle — what’s included and why

The €4,600 licence application bundle contains the eight documents the Bank of Lithuania expects to see in a complete EMI, PI, or MiCA application: the AML/CFT Compliance Programme, Customer Acceptance Policy, KYC procedures for individual and corporate clients, Enhanced Due Diligence procedure, Transaction Monitoring procedure, Sanctions Screening procedure, and Internal STR/MLRO procedures. These eight documents are drafted as an integrated set — all terminology, risk categories, and cross-references are consistent across every document. Commissioning them individually costs €5,050. The bundle saves €850 and eliminates the inconsistency risk that comes from drafting documents separately.

Frequently Asked Questions

The AML/CFT Compliance Programme is the master policy document — it describes the company’s overall anti-money laundering framework, governance structure, and high-level controls at a strategic level. It is typically 15–25 pages and is approved by the board. The KYC Onboarding Procedure is an operational document — it tells an analyst, step by step, exactly how to verify a new client’s identity, collect the required documents, score the client’s risk level, and decide whether to accept, escalate, or decline. It is typically 10–20 pages with checklists, decision trees, and templates. The Bank of Lithuania expects to see both — the policy tells the regulator what the company intends to do; the procedure demonstrates how it is done in practice.

Generic templates present a specific risk for licensed fintech entities: they are almost always written for a different business model, a different jurisdiction, or a different regulatory framework than yours. A KYC procedure written for a UK bank will reference documents and authorities that do not exist in Lithuania. A transaction monitoring procedure written for a general payment company will use typologies irrelevant to a crypto exchange. When a Bank of Lithuania examiner reads a document that references the FCA or HMRC, or uses terminology inconsistent with Lithuanian AML law, it signals that the document was not written for the company being examined. We draft all documents specifically for Lithuanian regulatory purposes and the client’s specific business model.

You need the eight core AML documents before submitting the application — the AML/CFT Compliance Programme, Customer Acceptance Policy, KYC procedures, EDD procedure, transaction monitoring procedure, sanctions screening procedure, and internal STR/MLRO procedures. The Bank of Lithuania will not accept an application as complete without these. The DORA ICT framework and outsourcing policy become required at operational launch rather than at application stage — though companies that are well-prepared often include them in the application to demonstrate operational readiness. The annual compliance review template is a post-licence tool and is not required at application stage.

The licence application bundle — eight documents — takes approximately 4–6 weeks from instruction to final delivery. This allows time for an initial briefing session to understand the business model, a first draft for each document, a review period for client feedback, and a final revision pass. For clients on a tight application timeline, we can accelerate delivery to 3 weeks for the core documents by running the drafting process in parallel across the document set. The additional DORA and outsourcing documents add 1–2 weeks to the overall timeline if commissioned simultaneously.

Inadequate documentation is a formal examination finding. The Bank of Lithuania will issue a written finding specifying the deficiency and requiring remediation within a defined timeframe — typically 30–90 days depending on the severity. Persistent or repeated documentation failures result in escalating supervisory measures. We provide post-examination documentation remediation as a standalone service — reviewing the specific finding, rewriting or supplementing the relevant document, and confirming to the company that the remediation satisfies the examiner’s requirement. This is quoted on request based on the number and nature of the findings.

DORA applies to all EU-licensed financial entities — which includes Lithuanian EMIs, PIs, MiCA-authorised companies, and investment firms. It has applied since January 2025. For smaller licensed entities (those below the thresholds that trigger the most demanding DORA requirements), a simplified proportionate framework applies — but the basic obligations remain: an ICT risk management policy, ICT incident classification and reporting procedures, and contractual protections with critical ICT providers. We assess the applicable DORA tier for each client and draft the documentation at the level of detail required for that tier.

Yes. If you have existing compliance documentation that is broadly sound but requires updating — to reflect regulatory changes, a business model evolution, or Bank of Lithuania examination findings — we can review and update the existing documents rather than redrafting from scratch. We charge €200–€400 per document for a review and update, depending on the extent of changes required. If the existing document is structurally inadequate — for example, a generic template that does not reflect the company’s actual business — a full redraft at the standard document price is more appropriate than an update.

Ready to build your compliance documentation?

Contact us to discuss which documents you need and at what stage. We will confirm the required set for your licence type and business model, provide a fixed fee quote, and begin drafting within 24 hours of your instruction. Most clients start with the licence application bundle — we can assess whether your existing documents can be updated or need to be redrafted from scratch.