Legal Services for Fintech Companies in Lithuania

AT A GLANCE

Fintech legal work covers four simultaneous layers: corporate law, regulatory law, contract law, and employment law — all of which must align with the Bank of Lithuania’s expectations from the first day of operations.
Legal documents for a licensed entity are not just commercial agreements — they are regulatory artefacts that the Bank of Lithuania reviews during supervisory examinations.
We provide fixed-fee legal services for defined fintech engagements and quoted rates for complex regulatory or transaction work — all in English, with Lithuanian versions where required for filing.
Our fintech legal team has direct experience with EMI, PI, MiCA, investment firm, and crowdfunding regulatory frameworks in Lithuania.
Legal support is available at every stage — pre-application structure, licence application preparation, post-licence compliance, and ongoing commercial operations.

Legal services for a Lithuanian fintech company span four areas simultaneously: the corporate structure and governance documents that satisfy the Bank of Lithuania’s governance expectations; the commercial contracts — terms of service, user agreements, DPAs — that govern the relationship with clients and partners; the employment contracts for regulated roles including compliance officers and MLROs; and the regulatory legal work that supports the licence application and ongoing supervisory compliance. We provide all four service areas under one engagement, at fixed fees for defined work and quoted rates for complex or bespoke engagements.

Why Fintech Legal Work Is Different

Legal work for a licensed fintech company is more complex than for a standard commercial entity — not because the underlying principles are different, but because every legal document a licensed entity produces exists in two contexts simultaneously: the commercial context (does this contract protect the company’s interests?) and the regulatory context (does this document satisfy the Bank of Lithuania’s requirements?).

Documents are regulatory artefacts

The Bank of Lithuania reviews a licensed entity’s legal documentation during supervisory examinations. Terms of service that are commercially reasonable but non-compliant with PSD2 or MiCA consumer protection requirements are a regulatory finding. Employment contracts for compliance officers that do not correctly define the role’s independence and reporting line create a governance gap. Internal governance documents that do not reflect the actual decision-making structure of the company undermine the credibility of the licence application. Every legal document a fintech company produces must pass both the commercial test and the regulatory test.

Regulatory frameworks are specific and detailed

PSD2, EMD2, MiCA, MiFID II, GDPR, DORA, and the Lithuanian Law on the Prevention of Money Laundering — each regulatory framework imposes specific mandatory content on certain documents. A payment institution’s terms of service must include specific pre-contractual information required by PSD2. A MiCA-authorised company’s white paper and client agreements must contain specific disclosures. A licensed entity’s internal governance documents must reflect the specific committee and reporting structures the Bank of Lithuania expects. Generic legal templates — even well-drafted ones — do not satisfy these requirements. Documents must be drafted by lawyers who know the applicable regulatory framework, not just the general commercial law.

The regulatory relationship requires legal management

A fintech company’s relationship with the Bank of Lithuania is an ongoing legal relationship, not a one-time transaction. Licence conditions impose continuing obligations that must be documented, monitored, and evidenced. Changes to the business model, ownership structure, or key personnel must be notified to the regulator — in writing, with supporting documentation, within prescribed timeframes. Regulatory correspondence requires careful drafting. We manage the legal dimension of this ongoing regulatory relationship as part of our fintech legal service.

Legal Service Areas for Fintech Companies

Our fintech legal service covers six distinct areas, each corresponding to a specific dimension of a licensed entity’s legal obligations.

Corporate Governance and Structure
The corporate governance structure of a fintech company is subject to Bank of Lithuania scrutiny from the moment the licence application is submitted. The regulator assesses whether the management structure is appropriate for the size and complexity of the business, whether decision-making authority is clearly defined, whether there are adequate internal controls, and whether the board and senior management have the qualifications and experience to manage a regulated entity. We structure the governance framework to satisfy these expectations from the outset.

Articles of association — drafted to include governance provisions aligned with Bank of Lithuania requirements
Shareholder agreements — defining ownership rights, reserved matters, and investor protections in a regulatory context
Board and management committee charters — defining decision-making authority, quorum, and reporting lines
Director and officer service agreements — including fit-and-proper declarations and regulatory reporting obligations
Delegation of authority frameworks — mapping which decisions require board approval, management approval, or can be delegated
Corporate governance policy — the overarching document the Bank of Lithuania reviews to assess governance adequacy
Conflict of interest policy — required for licensed entities; identifying, disclosing, and managing conflicts

Governance expectations for licensed entities

The Bank of Lithuania’s governance requirements for licensed fintech entities are based on EBA guidelines on internal governance (EBA/GL/2021/05). Key expectations include: a clearly defined management structure with documented responsibilities; at least two senior managers effectively running the licensed activities; an audit committee for larger entities; a documented risk appetite framework; and regular board reporting on compliance, risk, and financial performance. We structure the governance documents to satisfy these guidelines from day one.

Regulatory Legal Support
Navigating the Bank of Lithuania as a licensed entity requires legal support that goes beyond compliance advisory. The legal dimension of the regulatory relationship — licence condition interpretation, regulatory change analysis, notification obligations, and supervisory correspondence — requires lawyers who understand both the regulatory framework and the practical way the Bank of Lithuania operates. We provide legal support across the full regulatory lifecycle of a licensed entity.

Licence condition legal review — interpreting and mapping each licence condition to an operational obligation
Material change notifications — drafting and submitting notifications to the Bank of Lithuania for changes requiring prior approval
Regulatory correspondence — drafting responses to Bank of Lithuania queries, information requests, and supervisory findings
Passporting notifications — preparing and submitting EU passporting notifications for cross-border service provision
Outsourcing agreements — drafting and reviewing outsourcing arrangements to satisfy EBA outsourcing guidelines
Regulatory change legal analysis — assessing the impact of new EU and Lithuanian regulation on existing operations
Enforcement response — legal support when the Bank of Lithuania initiates formal enforcement or supervisory action

Commercial Contracts and User Agreements
Every commercial relationship a fintech company enters — with clients, partners, payment processors, technology providers, and data vendors — must be governed by a written agreement that satisfies both Lithuanian commercial law and the applicable regulatory framework. For licensed entities, client-facing documents must meet specific mandatory disclosure requirements. We prepare and maintain the full commercial contract suite for fintech companies, ensuring every document is enforceable under Lithuanian law and compliant with the applicable regulation.

Terms of service — mandatory PSD2 pre-contractual disclosures, payment service framework contracts, user rights
E-money terms — EMD2-compliant e-money issuance, redemption rights, and fee disclosure
MiCA client agreements — crypto-asset service disclosures, risk warnings, and complaint procedures required under MiCA
API and technology partner agreements — governing data access, uptime obligations, and liability allocation
Acquiring and processing agreements — for companies operating payment acquiring infrastructure
Agent and distributor agreements — for fintech companies distributing through third-party agents
White label and licensing agreements — where the company licenses its platform or technology to third parties
Non-disclosure agreements — tailored to fintech M&A discussions, partnership negotiations, and technology sharing

PSD2 mandatory contract content

Under the Payment Services Directive 2 (PSD2), payment service providers must provide specific pre-contractual information before a framework contract takes effect. This includes: the payment service provider’s identity and contact details; a description of the payment service; information on charges, exchange rates, and execution times; the user’s consent and withdrawal rights; notification and communication procedures; and complaint and redress procedures. Missing any of these elements renders the framework contract non-compliant and exposes the licensed entity to regulatory risk. We build all mandatory PSD2 content into client-facing agreements as standard.

Data Protection and GDPR
Fintech companies process large volumes of personal data — payment data, identity verification data, transaction history, and behavioural data — that carry significant GDPR obligations. For MiCA-authorised companies, additional data handling requirements apply under the crypto regulation. For companies subject to DORA (Digital Operational Resilience Act), ICT risk management and incident reporting obligations overlap with data protection requirements. We prepare and maintain the full GDPR documentation framework for fintech companies, coordinated with their regulatory obligations.

Privacy policy — GDPR-compliant, specific to fintech data processing activities
Data processing agreements (DPAs) — for relationships with third-party processors including KYC providers, cloud services, and analytics platforms
Records of processing activities (ROPA) — the internal data map required under GDPR Article 30
Data breach notification procedures — aligned with both GDPR (72-hour notification) and Bank of Lithuania incident reporting requirements
Data subject rights procedures — handling access, erasure, portability, and objection requests
Data retention and deletion policy — aligned with both GDPR principles and AML 5-year retention obligations
Cookie policy and consent management — for fintech companies with web and app interfaces
Data protection impact assessments (DPIAs) — for high-risk processing activities including biometric KYC

Employment Law for Regulated Roles
Fintech companies operating under a Bank of Lithuania licence must staff specific regulated roles — compliance officer, MLRO, risk manager, and in some cases an internal auditor. These roles have legal obligations that must be reflected in the employment documentation: independence, direct reporting lines, access to information, and protection from interference. Employment contracts for regulated roles that do not include these provisions create governance gaps that the Bank of Lithuania will identify during examination. We draft employment documentation for regulated and standard roles alike.

Employment contracts for regulated roles — compliance officer, MLRO, risk manager, DPO, internal auditor
Independence provisions — ensuring regulated function holders have documented authority and protection from undue influence
Reporting line documentation — defining the direct reporting structure to senior management and the board
Non-compete and confidentiality clauses — enforceable under Lithuanian Labour Code; with statutory compensation provisions
IP assignment clauses — ensuring technology developed by employees belongs to the company
Contractor agreements for specialist roles — including fit-and-proper declarations for key function contractors
Director service agreements — governing the director’s relationship with the licensed entity
Redundancy and termination procedures — compliant with the Lithuanian Labour Code for sensitive regulated roles

Investment, M&A, and Corporate Transactions
Fintech companies that raise investment, acquire other businesses, or are themselves the subject of M&A activity face a specific regulatory dimension that standard M&A legal advisors frequently underestimate: any change in qualifying ownership of a licensed entity requires prior approval from the Bank of Lithuania. This regulatory approval process runs in parallel with the commercial transaction and must be carefully coordinated. We manage the legal dimension of fintech M&A and investment transactions, combining corporate transaction experience with the regulatory knowledge required for the Bank of Lithuania approval process.

Investment round documentation — term sheets, subscription agreements, SHA, convertible instruments
Qualifying holding notifications — mandatory Bank of Lithuania prior approval for acquisitions above 10%, 20%, 33%, 50% thresholds
Due diligence support — legal data room preparation; responding to investor legal queries on licence status and conditions
Shareholder change documentation — legal documents and regulatory filings for ownership changes below notification thresholds
Acquisition of licensed entities — legal and regulatory assessment of target licence status; SPA drafting
Change of control conditions — legal management of Bank of Lithuania conditions attached to M&A approvals
Group restructuring — legal analysis of restructuring impact on existing licences and notification obligations

Key Legal Documents by Licence Type

The specific legal documents a fintech company needs depend on its licence type. The table below maps the most important documents to the applicable regulatory framework.

Document	EMI	PI	MiCA CASP	Investment Firm
PSD2-compliant terms of service	✓	✓	—	—
EMD2 e-money terms	✓	—	—	—
MiCA client agreement and disclosures	—	—	✓	—
MiFID II suitability / appropriateness docs	—	—	—	✓
Safeguarding policy	✓	✓	—	—
AML/KYC policy (legal review)	✓	✓	✓	✓
Outsourcing agreements (EBA-compliant)	✓	✓	✓	✓
GDPR privacy policy and DPAs	✓	✓	✓	✓
Corporate governance policy	✓	✓	✓	✓
Regulated role employment contracts	✓	✓	✓	✓
Passporting notification documents	✓	✓	✓	✓
Qualifying holding notification (M&A)	✓	✓	✓	✓

Legal Services Pricing

Defined fintech legal engagements are quoted at fixed fees. Complex regulatory, transaction, or bespoke work is quoted on request after an initial scoping call. All fees are for the legal work only and do not include government filing fees or third-party costs.

Service	Price
Corporate governance policy Standalone governance document for a licensed entity	€800
Board / management committee charter Per committee — with mandate, quorum, and reporting provisions	€650
Conflict of interest policy	€600
Delegation of authority framework Mapping decision rights across board, management, and operations	€800
PSD2-compliant terms of service (payment institution) Full framework contract with mandatory PSD2 pre-contractual disclosures	€1,800
EMD2-compliant e-money terms Including redemption rights, fee disclosure, and user protections	€1,600
MiCA client agreement and risk disclosures MiCA-mandatory client disclosures, risk warnings, complaint procedures	€1,000
API / technology partner agreement Data access, uptime SLA, liability caps, and termination provisions	€1,000
White label / platform licensing agreement Depends on scope of licensed technology and commercial terms	On request
Non-disclosure agreement (fintech-specific) Mutual NDA for partnership or M&A discussions; English + Lithuanian	€650
GDPR privacy policy (fintech) Specific to fintech data processing activities; published-ready	€900
Data processing agreement (DPA) template Master DPA template for use with third-party processors	€700
Records of processing activities (ROPA) Full internal data map covering all processing activities	€800
Data breach notification procedure Aligned with GDPR 72h and Bank of Lithuania incident reporting	€750
Full GDPR documentation package Privacy policy + DPA template + ROPA + breach procedure — bundled	€3,500
Employment contract — regulated role (compliance, MLRO, risk) With independence provisions, reporting line, and IP assignment	€450
Employment contract — standard role Labour Code-compliant; English + Lithuanian	€300
Director service agreement With fit-and-proper declaration and regulatory reporting obligations	€800
Contractor agreement — regulated role Including fit-and-proper declaration and IP assignment	€800
Passporting notification documents (per jurisdiction) Outbound passporting to a single EU member state	€800
Material change notification to Bank of Lithuania Depends on nature and complexity of the change	On request
Qualifying holding notification (M&A) Regulatory filings for ownership changes above notification thresholds	On request
Investment round documentation (fintech-specific) SHA, subscription agreement, and regulatory impact assessment	On request
Ongoing legal retainer Monthly advisory retainer covering licence conditions, contracts, and regulatory changes	On request

On ‘on request’ pricing

Services quoted on request are not more expensive by default — they are quoted individually because the scope varies too widely to fix from a menu. A passporting notification to one jurisdiction is a different engagement from a cross-border restructuring affecting four licences. We provide a fixed quote after a 30-minute scoping call. No charge for the scoping call.

GDPR documentation package — what’s included

The €3,500 GDPR package combines four documents that every fintech company must have: (1) a published privacy policy specific to fintech data processing activities; (2) a master DPA template for use with all third-party processors; (3) a records of processing activities (ROPA) covering all processing operations; and (4) a data breach notification procedure aligned with both GDPR and Bank of Lithuania incident reporting requirements. Commissioning these separately costs more. The package ensures all four documents are internally consistent.

Legal Work in the Licence Application Process

The Bank of Lithuania’s licence application requires a substantial legal documentation package — not just the application form, but the governance documents, policies, and agreements that demonstrate the company is ready to operate as a regulated entity. Here is what the legal component of a licence application covers.

What the Bank of Lithuania requires as legal documentation

Corporate governance policy — demonstrating a governance structure appropriate to the licence type and business complexity
Articles of association — must reflect the governance provisions described in the governance policy
Director and key function holder service agreements — confirming the role, authority, and independence of each regulated function
Conflict of interest policy — identifying and managing conflicts within the board and management
Outsourcing policy — governing any outsourced functions, with a register of existing outsourcing arrangements
Draft terms of service — demonstrating that the client-facing contracts will comply with PSD2, EMD2, or MiCA as applicable
Internal control framework — describing the three lines of defence model and the company’s risk management structure
Remuneration policy — for companies subject to CRD IV or investment firm remuneration requirements

The legal preparation timeline

Legal preparation for a licence application typically takes 6–10 weeks for a standard EMI or PI application. This assumes the corporate structure is already in place. The timeline depends on the complexity of the governance structure, the number of regulatory roles to be documented, and how quickly draft documents can be reviewed and finalised with the founders and key personnel. We build the legal preparation timeline into the overall application project plan and coordinate with the compliance and regulatory advisory team to ensure all components are ready simultaneously.

Legal review of the application package

Before submitting to the Bank of Lithuania, we conduct a final legal review of the complete application package — checking for internal consistency between documents, confirming that all mandatory regulatory disclosures are present, and verifying that the governance documents reflect the actual management structure. Applications submitted with inconsistencies between documents are the most common cause of Bank of Lithuania information requests that extend the review timeline.

Frequently Asked Questions

The minimum legal documentation package for an EMI or PI application includes: articles of association, a corporate governance policy, board and management committee charters, director service agreements with fit-and-proper declarations, a conflict of interest policy, an outsourcing policy, draft terms of service compliant with PSD2 or EMD2, and a remuneration policy where applicable. MiCA applications require additional documents including a MiCA-compliant white paper (which is both a legal and marketing document) and MiCA client agreement templates. We prepare the full legal documentation package as part of our licence application support service.

The terms of service must be provided in a language understood by the client. For Lithuanian resident clients, Lithuanian-language terms are required. For foreign clients, English is generally acceptable. For an EMI or PI serving both Lithuanian and international clients, we prepare bilingual terms — Lithuanian and English — as the standard approach. The regulatory mandatory content (PSD2 pre-contractual disclosures) must be present in both language versions.

Under PSD2 and EMD2, any person or entity intending to acquire a qualifying holding in a licensed entity — defined as 10% or more of the shares or voting rights, or sufficient influence to appoint a director — must notify the Bank of Lithuania before the acquisition. The Bank of Lithuania then conducts a fit-and-proper assessment of the proposed acquirer and either approves, conditions, or objects to the acquisition. Notification thresholds also apply at 20%, 33%, and 50% ownership levels. Completing an ownership change without prior notification is a regulatory breach. We prepare the notification package and manage the Bank of Lithuania review process.

Generally yes, with careful drafting. PSD2 and EMD2 are EU-wide regulations, so a single set of PSD2-compliant terms governs payment services across the EU. However, certain provisions — complaint procedures, dispute resolution references, and specific consumer protection rules — may need to be adjusted for clients in specific member states. For companies passporting services into multiple EU countries, we review the terms against the specific national implementation requirements of the key target markets and prepare jurisdiction-specific addenda where needed.

A compliance officer at a Bank of Lithuania-licensed entity must have documented independence from the business lines they oversee, direct reporting access to senior management and the board, and protection from adverse consequences when they raise compliance concerns. The employment contract must include: a clear definition of the compliance role and its scope; a direct reporting line to the CEO and the board’s audit or risk committee; a provision preventing the compliance officer from being simultaneously responsible for business line functions that create conflicts; and explicit protection against dismissal or demotion for acting in good faith in the performance of compliance duties. These provisions are a Bank of Lithuania expectation, not just good practice.

DORA (Digital Operational Resilience Act — EU Regulation 2022/2554) applies to EU-licensed financial entities from January 2025, including Lithuanian EMIs, PIs, investment firms, and MiCA-authorised companies. It requires: an ICT risk management framework; ICT-related incident classification and reporting procedures; digital operational resilience testing; and ICT third-party risk management, including specific contractual requirements for agreements with critical ICT providers. The legal dimension involves: reviewing existing ICT vendor contracts to confirm DORA compliance; drafting DORA-compliant ICT contract addenda where needed; and preparing the internal ICT risk governance documents. We prepare DORA legal documentation as a standalone engagement or as part of an ongoing legal retainer.

Yes. Ongoing legal support for a licensed entity is one of our primary service models. A licensed entity’s legal needs are continuous — new regulations come into force, licence conditions need to be reviewed, commercial contracts need to be updated, staff change and new employment agreements are needed, and regulatory correspondence requires careful drafting. We provide ongoing legal support on a monthly retainer basis — quoted on request based on the expected volume of work — with a dedicated legal contact who knows the company’s full regulatory history.

Ready to discuss your fintech legal requirements?

Contact us to book an initial consultation. We will review your licence status or application stage, confirm the priority legal documents, and provide fixed-fee quotes for defined work within 24 hours. No retainer required to start — we work on a per-engagement basis until you decide ongoing support is needed.