Compliance Services in Lithuania

AT A GLANCE

Regulatory compliance in Lithuania encompasses AML/KYC obligations under the Law on the Prevention of Money Laundering and Terrorist Financing, GDPR data protection requirements, whistleblower channel implementation, and sector-specific compliance for licensed and regulated businesses.
The Law on the Prevention of Money Laundering and Terrorist Financing (Pinigų plovimo ir teroristų finansavimo prevencijos įstatymas — PPTFPĮ) requires obliged entities — including financial institutions, crypto companies, lawyers, accountants, and others — to implement comprehensive AML programmes with risk assessments, KYC procedures, and suspicious transaction reporting.
GDPR (EU Regulation 2016/679) applies directly to all Lithuanian companies processing personal data of EU residents. The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI) is the supervisory authority; fines of up to €20 million or 4% of global annual turnover apply for serious violations.
Lithuania’s anti-money laundering supervisor for non-financial sector obliged entities is the Financial Crime Investigation Service (Finansinių nusikaltimų tyrimo tarnyba — FNTT), which conducts inspections and can impose administrative fines of up to €1,000,000 per violation.
We design, implement, and audit compliance programmes for Lithuanian companies and the Lithuanian operations of international groups — across AML/KYC, GDPR, whistleblowing, and sector-specific regulatory compliance.

Short answer

Compliance services cover the design, implementation, and ongoing management of the internal frameworks that keep a Lithuanian company on the right side of its regulatory obligations. For AML-obliged entities — financial institutions, crypto companies, virtual asset service providers, lawyers, and others — this means a full AML/KYC programme. For all companies, it means GDPR data protection compliance. For companies with 50+ employees, it means a whistleblower reporting channel. For licensed businesses, it means sector-specific regulatory compliance. We advise on applicable obligations, build the policy and procedural framework, train the relevant personnel, and provide ongoing advisory as the regulatory environment evolves.

AML/KYC Compliance — The Lithuanian Framework

The Law on Prevention of Money Laundering and Terrorist Financing (PPTFPĮ)

The Law on the Prevention of Money Laundering and Terrorist Financing (Pinigų plovimo ir teroristų finansavimo prevencijos įstatymas — PPTFPĮ) is the primary AML statute in Lithuania. It implements the EU’s Fourth and Fifth Anti-Money Laundering Directives (4AMLD — Directive 2015/849; 5AMLD — Directive 2018/843) and the Financial Action Task Force (FATF) Recommendations into Lithuanian law. The PPTFPĮ was substantially amended in 2020 and 2022 to align with the 5AMLD requirements including the expansion of the obliged entity list and the mandatory public beneficial ownership registers.

Obliged entities — who must comply

The PPTFPĮ establishes a list of ‘obliged entities’ (įpareigotieji subjektai) — persons and businesses that must implement an AML programme. The obliged entity list has been expanded under 5AMLD. In Lithuania it includes:

Credit and financial institutions — banks, payment institutions (EMIs), electronic money institutions, investment firms, insurance companies
Virtual asset service providers (VASPs) — crypto exchange operators, digital wallet providers, and other crypto-related businesses registered with the Bank of Lithuania under the Law on Virtual Currency Exchange Operators and Deposit Virtual Currency Wallet Operators
Audit firms and auditors — statutory auditors and audit companies
Accountants and tax advisors — persons providing accounting, bookkeeping, or tax advisory services
Legal professionals — lawyers, notaries, and other legal professionals when they assist clients with specified transactions (real estate, company formation, management of client funds)
Real estate agents — estate agencies and individual agents
Traders in high-value goods — dealing in goods for cash consideration of €10,000 or more per transaction
Gambling service providers — land-based and online gambling operators
Crowdfunding platform operators and trust and company service providers

The five pillars of an AML programme

Every obliged entity must implement a risk-based AML programme under Article 12 PPTFPĮ. The programme must address five core areas:

Risk assessment — a written assessment of the money laundering and terrorist financing risks the entity faces, considering the entity’s clients, products, services, transactions, and geographic exposure. The risk assessment must be updated whenever there is a material change in the entity’s business model or when the FNTT or the Bank of Lithuania publishes updated national or sectoral risk assessments.
Customer due diligence (KYC) — procedures for identifying and verifying clients before establishing a business relationship. Standard CDD applies to all clients; Enhanced Due Diligence (EDD) applies to high-risk clients including Politically Exposed Persons (PEPs), clients from high-risk jurisdictions, and non-face-to-face relationships. Simplified CDD is available for low-risk clients in specific circumstances defined in Article 10 PPTFPĮ.
Ongoing monitoring — continuous monitoring of business relationships and transactions to ensure they are consistent with the entity’s knowledge of the client and the expected pattern of activity. Unusual or inconsistent transactions must be examined further.
Suspicious transaction reporting — a process for identifying and reporting suspicious transactions and activities to the FNTT through the FNTT’s FORSIS reporting system. The reporting obligation applies without tipping-off the client that a report has been made.
Internal controls — policies, procedures, and controls to prevent money laundering; staff training on AML obligations and red flags; designation of an AML officer; record-keeping for at least 8 years (Article 25 PPTFPĮ); and an annual internal audit of the AML programme.

 The Money Laundering Reporting Officer (MLRO)

Every obliged entity must designate a Money Laundering Reporting Officer (MLRO) — the person responsible for receiving internal suspicious transaction reports from staff, assessing them, and filing external reports to FNTT. The MLRO must be a senior member of management or a designated officer with sufficient seniority and independence to perform the function effectively. For small obliged entities, the MLRO can be the director. For larger organisations, a dedicated compliance officer serves as MLRO. The MLRO must be named in the AML programme and must complete AML training. We advise on MLRO designation and responsibilities and can provide MLRO training for newly appointed compliance officers.

Customer Due Diligence (KYC) in Practice

The customer due diligence (CDD) framework under the PPTFPĮ distinguishes three levels of diligence based on the assessed risk of the client and the transaction. The correct calibration of CDD to risk level is what separates an effective AML programme from one that is either non-compliant (too little diligence) or operationally dysfunctional (too much diligence applied uniformly to all clients).

Standard CDD — Article 9 PPTFPĮ

Standard CDD must be applied to all new clients at the start of the business relationship and on an ongoing basis. Standard CDD requires: identification of the client (natural person or legal entity) and verification of the identity using reliable, independent sources; identification and verification of the beneficial owners of legal entity clients (UBOs — as defined in Article 2(9) PPTFPĮ consistent with the 5AMLD definition); obtaining information on the nature and purpose of the proposed business relationship; and ongoing monitoring of the relationship and transactions.

For legal entity clients, identity verification includes obtaining: the entity’s registration extract; the articles of association or equivalent; evidence of beneficial ownership (JADIS data in Lithuania; equivalent register or declaration for foreign entities); and identification documents for the UBOs and the authorised representatives of the entity.

Enhanced Due Diligence (EDD) — Article 11 PPTFPĮ

Enhanced Due Diligence is mandatory for high-risk clients and situations under the PPTFPĮ. EDD requires all the steps of standard CDD plus additional measures. EDD-triggering situations include:

Politically Exposed Persons (PEPs) — individuals who hold or have held a prominent public function. PEP status triggers EDD for the duration of the relationship plus 12 months after the PEP leaves office. EDD for PEPs requires: establishing the source of wealth and source of funds; obtaining senior management approval for establishing the relationship; and enhanced ongoing monitoring.
Clients or transactions involving high-risk third countries — countries identified by the European Commission as having strategic AML deficiencies. Currently approximately 20 countries are on the EU high-risk list.
Non-face-to-face client relationships — where the client is not physically present for identification. Remote CDD must be supplemented by additional verification measures (certified document copies, video identification, or verified electronic identity).
Correspondent banking relationships — when a Lithuanian credit institution establishes a correspondent banking relationship with a credit institution in a non-EU country.
Complex or unusually large transactions without apparent economic purpose.

Simplified CDD — Article 10 PPTFPĮ

Simplified CDD is available for low-risk clients in specific circumstances where the PPTFPĮ permits a reduced level of verification — including listed companies on regulated EU markets, public authorities, and clients presenting low risk based on the entity’s documented risk assessment. Simplified CDD does not mean no CDD — it means a reduced level of verification, applied consistently with a documented risk rationale.

GDPR Compliance in Lithuania

The EU General Data Protection Regulation (Regulation 2016/679 — GDPR) applies directly and without national implementation in Lithuania. It governs the processing of personal data of EU residents by any organisation that either is established in the EU or targets EU residents with goods or services. The Lithuanian supervisory authority is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — VDAI).

Who is subject to GDPR in Lithuania

Every Lithuanian company that processes personal data — which means collecting, storing, using, transmitting, or deleting information about identifiable individuals — is subject to GDPR. There is no size threshold: a one-person company that stores client email addresses is subject to GDPR. The GDPR applies to employees’ data, clients’ data, suppliers’ data, website visitors’ data, and any other personal data the company handles.

The six GDPR compliance requirements we implement

Lawful basis for processing — every processing activity must have a lawful basis under Article 6 GDPR: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. Legitimate interests (Article 6(1)(f)) is the most commonly applicable basis for B2B processing but requires a documented balancing test.
Privacy notices — individuals whose data is processed must be informed of the processing under Articles 13–14 GDPR. Website privacy policies, employee privacy notices, and client data processing notices must be current, complete, and accessible.
Data subject rights — individuals have the right to access their data, correct it, delete it (‘right to be forgotten’), restrict processing, and object to processing. Companies must have documented procedures for handling these requests within the statutory 30-day response period.
Data processing agreements — where a Lithuanian company uses third-party processors (cloud services, payroll providers, email marketing platforms), a Data Processing Agreement (DPA) under Article 28 GDPR must be in place with each processor.
Data breach notification — Article 33 GDPR requires notification to the VDAI within 72 hours of becoming aware of a personal data breach that poses a risk to individuals’ rights. Breaches posing a high risk must also be notified to the affected individuals. A breach response plan must be in place.
Data Protection Officer (DPO) — a DPO is mandatory under Article 37 GDPR for public authorities, companies whose core activity involves large-scale systematic monitoring, and companies whose core activity involves large-scale processing of sensitive data. For other companies, a voluntary DPO appointment or a DPO-as-a-service arrangement is advisable.

VDAI enforcement — fines and investigations

The VDAI has progressively increased its enforcement activity. Fines under GDPR are tiered: up to €10 million or 2% of global annual turnover for technical violations (inadequate security, failure to appoint a DPO, record-keeping failures); and up to €20 million or 4% of global annual turnover for substantive violations (unlawful processing, breach of data subject rights, unauthorised international transfers). In practice, VDAI fines for Lithuanian companies have typically been in the range of €2,000–€50,000 for most violations — but the maximum has been applied to serious cases. VDAI investigations are frequently triggered by data subject complaints, which can be submitted directly to VDAI online.

 Records of Processing Activities (RoPA)

Under Article 30 GDPR, every company with 250+ employees must maintain a Record of Processing Activities — a written inventory of all the personal data processing activities the company undertakes. Companies with fewer than 250 employees are exempt from the mandatory RoPA requirement unless their processing poses a risk to rights and freedoms, is not occasional, or includes special category data. In practice, we recommend all Lithuanian companies maintain a RoPA regardless of size — it is the foundational document of any GDPR compliance programme and significantly simplifies responses to VDAI investigations and data subject requests.

Compliance Services We Provide

AML/KYC Programme Design and Implementation

We design and implement the complete AML/KYC compliance programme required under the PPTFPĮ for obliged entities — from the initial risk assessment through to the operational procedures and staff training. The programme is designed to be proportionate to the entity's size and risk profile — meeting the PPTFPĮ and FNTT standards without creating operational overhead that impedes legitimate business.

AML risk assessment — identifying and assessing the money laundering and terrorist financing risks specific to the entity's business model, client base, products, and geographic exposure
AML policy and procedure manual — documented policies for CDD, EDD, simplified CDD, ongoing monitoring, and suspicious transaction reporting
KYC onboarding procedures — step-by-step client onboarding checklists for different client types (individuals, companies, trusts, PEPs, high-risk jurisdictions)
MLRO designation and role documentation — defining the MLRO's authority, reporting lines, and responsibilities within the organisation
Suspicious transaction reporting procedures — internal escalation process and FNTT reporting via FORSIS
AML staff training — tailored training for frontline staff (client-facing), compliance staff, and senior management
Annual AML programme review and update — updating the programme for regulatory developments and changes in the entity's risk profile

GDPR Compliance Programme

We implement the complete GDPR compliance framework for Lithuanian companies — from the data audit that identifies what personal data the company processes, through to the privacy notices, data processing agreements, breach response plan, and staff training. For companies that already have a GDPR framework, we conduct gap assessments and update documentation to reflect regulatory developments.

Data processing audit — mapping all personal data the company collects, uses, stores, and transmits; identifying the lawful basis for each processing activity
Records of Processing Activities (RoPA) — preparing the Article 30 GDPR register of all processing activities
Privacy notices — drafting website privacy policy, employee privacy notice, and client data processing information
Data Processing Agreements (DPAs) — reviewing and negotiating DPAs with cloud providers, payroll processors, email platforms, and other data processors
Data subject rights procedures — internal process for handling access requests, deletion requests, and objections within the 30-day statutory period
Data breach response plan — incident classification, notification procedures, VDAI reporting, and documentation templates
DPO services — acting as external Data Protection Officer for companies that require or elect to have a DPO
GDPR training — tailored training for all staff (general awareness), IT teams (data security), and management (governance obligations)

Whistleblower Protection Channel Implementation

Under the Lithuanian Law on the Protection of Whistleblowers (Pranešėjų apsaugos įstatymas), implementing EU Directive 2019/1937/EU, companies with 50 or more employees must establish an internal whistleblowing channel. The channel must allow employees to report violations of Lithuanian law confidentially, and the company must investigate reports, maintain confidentiality, and protect reporters from retaliation.

Internal reporting channel design — establishing a confidential reporting mechanism (dedicated email, online form, or dedicated contact) separate from the management chain
Whistleblower policy — defining the categories of reportable violations, the investigation process, the confidentiality protections, and the anti-retaliation provisions
Responsible person designation — designating the compliance officer or an external person as the recipient and investigator of whistleblower reports
Report investigation procedure — a documented process for assessing, investigating, and responding to reports within the statutory timeframes (acknowledgement within 7 days; outcome notification within 3 months)
Anti-retaliation provisions — documenting the protections available to whistleblowers and the consequences for retaliation
Employee communication and training — informing all employees of the channel's existence, purpose, and protections

Financial Services Regulatory Compliance

For companies in the financial services sector — EMIs, payment institutions, investment firms, crowdfunding platforms, and virtual asset service providers — compliance with the requirements of the Bank of Lithuania and sector-specific legislation is a condition of maintaining the licence. We advise on ongoing regulatory compliance for licensed entities.

Bank of Lithuania reporting — periodic and ad hoc regulatory reporting obligations for licensed entities; preparation and submission
Capital adequacy monitoring — ensuring the entity maintains the minimum own funds required under the applicable licensing framework at all times
Regulatory change monitoring — tracking Bank of Lithuania circulars, EBA guidelines, and EU regulatory changes affecting the entity's operations
Internal controls and governance — designing the internal control framework required by Bank of Lithuania supervisory expectations
Regulatory correspondence management — responding to Bank of Lithuania queries, inspections, and requests for information
MiCA compliance (Crypto Asset Service Providers) — advising on compliance with EU Regulation 2023/1114 (Markets in Crypto-Assets), which entered into application in December 2024 for CASPs
Consumer complaint handling procedure — mandatory complaint handling framework for licensed financial services providers

Compliance Audit and Gap Assessment

For companies that have existing compliance frameworks — either inherited, historically assembled, or implemented without specialist input — a compliance audit identifies the gaps between the current state and the regulatory requirements. The audit produces a written gap report and a prioritised remediation plan.

AML/KYC compliance audit — reviewing the existing AML programme against the PPTFPĮ and FNTT inspection standards; identifying deficiencies and providing a prioritised remediation plan
GDPR compliance audit — reviewing data processing activities, lawful bases, privacy notices, DPAs, and security measures against GDPR requirements
Corporate compliance health check — reviewing the company's overall compliance posture across AML, GDPR, and applicable sectoral requirements; written summary report
Pre-inspection preparation — preparing a company for an FNTT inspection or VDAI investigation; mock audit walkthrough; documentation organisation
Post-inspection remediation — implementing the corrective actions required by an FNTT or VDAI inspection finding
Compliance programme updates — annual review and update of AML, GDPR, and other compliance documentation for regulatory changes and business developments

Supervisory Authorities and Enforcement

Understanding which authority supervises which obligation — and what the enforcement consequences are — is essential for prioritising compliance investment. The three most commercially significant supervisors for Lithuanian businesses are:

Authority	Abbreviation	Area of Supervision	Maximum Fine
Financial Crime Investigation Service	FNTT	AML/KYC compliance for non-financial sector obliged entities (accountants, lawyers, real estate agents, VASPs, trust & company service providers)	€1,000,000 per violation
Bank of Lithuania	LB	AML/KYC and prudential compliance for financial sector entities (banks, EMIs, PIs, investment firms, crypto VASPs under Bank of Lithuania supervision)	€5,000,000 or 10% of annual turnover per violation
State Data Protection Inspectorate	VDAI	GDPR compliance for all organisations processing personal data of EU residents	€20,000,000 or 4% of global annual turnover
State Labour Inspectorate	VDI	Labour law compliance; employment contracts; working time; workplace safety; whistleblower protection	€3,000 per violation (individuals); higher for serious safety violations
Competition Council	RRT	Competition law compliance; anti-competitive agreements; market abuse; merger control	10% of global annual turnover
Ministry of Finance / VMI	VMI	Tax compliance; CIT, VAT, GPM, SoDra; transfer pricing; tax evasion	50% surcharge on evaded tax + daily interest at 0.03%

Compliance Services Pricing

Compliance programme design and implementation are priced at fixed fees for defined scope. Ongoing compliance advisory retainers are quoted after an initial assessment of the entity’s compliance obligations and current maturity.

Service	Price
AML risk assessment (obliged entity) Written risk assessment covering client risk, product risk, geographic risk, and transaction risk; PPTFPĮ Article 12 compliant	€900
AML programme design and documentation Full AML/KYC programme: policy manual, CDD/EDD procedures, monitoring, reporting, MLRO designation, record-keeping	€3,500
AML programme — fintech / VASP (enhanced) Enhanced programme for crypto, payments, and financial services obliged entities; Bank of Lithuania standards	€3,200
KYC onboarding procedure set (per client type) Individual clients, legal entity clients, PEP procedures, high-risk jurisdiction procedures — per procedure set	€800
MLRO training (per session) 3-hour training session for newly appointed MLRO; AML framework, reporting obligations, and FORSIS system	€1,000
AML staff training (per session, up to 20 participants) Red flags, CDD obligations, suspicious transaction identification, and reporting procedures	€900
Annual AML programme review and update Updating programme for regulatory changes; reviewing risk assessment; refreshing procedures	€900
GDPR data processing audit Mapping all processing activities; lawful basis assessment; written audit report	€900
GDPR compliance programme — standard company RoPA, privacy notices, DPA template, data subject rights procedures, breach response plan	€1,600
GDPR compliance programme — data-intensive company For companies processing significant volumes or special categories of data; includes DPO advisory	€2,600
Privacy policy and employee privacy notice Website privacy policy and internal employee privacy notice; Article 13-14 GDPR compliant	€700
Data Processing Agreement (DPA review / drafting) Reviewing counterparty DPA or drafting a standard DPA for use with processors	€600
DPO as a service — monthly retainer External Data Protection Officer; point of contact for VDAI; data subject request handling; breach notification	From €800/month
GDPR breach response advisory (per incident) Breach assessment; VDAI notification preparation; data subject notification if required	€1,000
Whistleblower channel implementation Channel design, whistleblower policy, responsible person designation, investigation procedure, staff communication	€900
AML/KYC compliance audit Reviewing existing programme against PPTFPĮ/FNTT standards; written gap report and remediation plan	€1,300
GDPR compliance audit Reviewing existing data protection framework against GDPR; written gap report	€900
Pre-FNTT/VDAI inspection preparation Mock audit walkthrough; documentation organisation; management briefing	€900
Corporate compliance health check (all areas) AML, GDPR, and applicable sector compliance; holistic written assessment and prioritised remediation	€1,600
Compliance advisory retainer — standard Ongoing regulatory updates; query response; annual review of core policies and procedures	From €900/month
Compliance advisory retainer — financial services Bank of Lithuania reporting; regulatory change monitoring; MiCA/AML ongoing advisory for licensed entities	From €900/month

Frequently Asked Questions

The obliged entity list under the PPTFPĮ covers a wider range of businesses than most people expect. Lawyers and notaries — when they assist with real estate transactions, company formation, or client fund management — are obliged entities. Accountants and bookkeepers are obliged entities. Real estate agents are obliged entities. Virtual asset service providers (crypto companies) are obliged entities. Financial institutions of all kinds are obliged entities. Even traders in high-value goods (including art dealers and luxury goods retailers) are obliged entities where they accept cash payments of €10,000 or more. If you are not certain whether your business is an obliged entity, we conduct an initial assessment as part of our AML risk assessment engagement. Operating as an obliged entity without an AML programme is an administrative violation with fines of up to €1,000,000 (FNTT-supervised entities) or €5,000,000 (Bank of Lithuania-supervised entities) per violation.

Both the FNTT (Financial Crime Investigation Service) and the Bank of Lithuania supervise AML compliance in Lithuania, but for different categories of obliged entity. The Bank of Lithuania supervises financial sector entities — banks, payment institutions (EMIs), electronic money institutions, investment firms, and virtual asset service providers registered with the Bank of Lithuania. The FNTT supervises non-financial sector obliged entities — accountants, lawyers, notaries, real estate agents, trust and company service providers, and other businesses on the PPTFPĮ obliged entity list. For a given Lithuanian business, only one authority is the primary AML supervisor. The FNTT and the Bank of Lithuania coordinate on cases that span both categories. The Bank of Lithuania has higher maximum fine levels (€5,000,000 or 10% of turnover) than the FNTT (€1,000,000).

Yes. GDPR applies to any organisation that processes personal data — including organisations without a website. A Lithuanian company with no website still processes personal data: employees’ payroll data, salary information, national insurance numbers, bank account details, and contact information are all personal data. Client names, email addresses, phone numbers, and invoicing information are personal data. Supplier contacts are personal data. GDPR applies to all of this, regardless of whether the company has a website or any online presence. The absence of a website does not eliminate GDPR obligations — it only means that certain website-specific obligations (cookies, privacy policy on the website) do not apply.

Under Article 33 GDPR, a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons must be notified to the VDAI within 72 hours of the controller becoming aware of the breach. The 72-hour clock starts when a staff member with authority to assess and report the breach becomes aware — not necessarily when the breach first occurred. If the breach is unlikely to result in a risk (for example, a staff member accidentally emails a single non-sensitive document to the wrong internal colleague and the document is immediately deleted), no VDAI notification is required, but the breach must be documented internally. Where the breach is likely to result in a high risk (for example, a large database of client financial information is accessed by an unauthorised person), individual notification to affected persons is also required under Article 34 GDPR. We advise on breach severity assessment and manage the VDAI notification process.

A Politically Exposed Person (PEP) under the PPTFPĮ is an individual who holds or has held a prominent public function — including heads of state and government, government ministers, members of parliament, senior judges, central bank governors, senior diplomatic officials, senior military officers, members of the governing bodies of state-owned enterprises, and their immediate family members and known close associates. Obliged entities must screen new clients against PEP databases and apply Enhanced Due Diligence to any client who is a PEP. EDD for PEPs requires: obtaining senior management approval for establishing the relationship; determining the source of the PEP’s wealth and the source of the funds used in the transaction; and applying enhanced ongoing monitoring. PEP status typically applies for 12 months after the person leaves their public function. A client who was a PEP in a previous role may not currently be a PEP but should be treated with elevated awareness.

The Law on the Protection of Whistleblowers (Pranešėjų apsaugos įstatymas), implementing EU Directive 2019/1937/EU, requires companies with 50 or more employees to establish an internal whistleblower reporting channel. The channel must allow employees to report violations of Lithuanian law (not necessarily of the company’s own policies — the law covers reportable violations of specific legislation including labour law, environmental law, consumer protection, tax, public procurement, and financial services). The company must acknowledge receipt of a report within 7 days and provide feedback on the outcome within 3 months. The reporter must be protected against retaliation. Failure to establish the required channel is an administrative violation. Companies with fewer than 50 employees are not legally required to have an internal channel — those employees can report directly to the relevant public authority — but many smaller companies implement channels voluntarily as a governance best practice.

MiCA — the EU Regulation on Markets in Crypto-Assets (Regulation 2023/1114) — entered into application in December 2024 for Crypto-Asset Service Providers (CASPs). MiCA creates a harmonised EU licensing regime for crypto businesses that replaces the national VASP registration frameworks that existed in Lithuania and other EU member states. Lithuanian crypto companies that were registered as VASPs under the previous national framework (with the Bank of Lithuania) had a transitional period to apply for a MiCA CASP licence. Under MiCA, licensed CASPs can passport their authorisation across all 27 EU member states without separate national registration. MiCA imposes detailed organisational, governance, capital adequacy, AML, and operational requirements on CASPs. We advise on MiCA compliance and manage CASP licence applications for Lithuanian crypto companies.

Ready to build your compliance programme?

Contact us to discuss your company’s compliance obligations — whether it is an AML programme for an obliged entity, GDPR implementation, a whistleblower channel, or an audit of an existing compliance framework. We will identify the applicable requirements, assess your current compliance maturity, and provide a scoped engagement proposal.