Bank of Lithuania: fintech development warrants thorough risk assessment
Developing an environment conducive to competition and innovation in the financial services field is one of the Bank of Lithuania’s strategic directions. We aim to create a business-friendly financial sector which could offer consumers high quality and innovative services. This goal can only be achieved by implying effective tools for managing fintech-related risks.
Comment by Rūta Merkevičiūtė, Head of the Electronic Money and Payment Institution Supervision Division of the Bank of Lithuania
Lithuania’s fintech sector has been rapidly expanding. The Bank of Lithuania has already granted authorisation to nearly 120 market players (electronic money and payment institutions, crowdfunding and peer-to-peer lending platform operators, specialised banks). The Lithuanian fintech market might welcome up to 100 new participants this year. The majority (106) of the licensed fintech companies are electronic money and payment institutions – double the number compared to 2016. With rapid sector development, it becomes increasingly necessary to assess and manage the emerging risks.
The Bank of Lithuania’s risk management framework is applied prior to the licensing process. The Bank of Lithuania has launched a Newcomer Programme to consult potential market participants on business opportunities in Lithuania and provide a preliminary opinion on the compliance of their operating models with legal requirements. The Programme participants are introduced with expectations set by the Bank of Lithuania regarding the reputation of companies’ shareholders, its eligibility for licensing, business models and risk appetite. It should be noted that only a fifth of the companies that have participated in the Newcomer Programme applied for a licence in Lithuania.
Not all applicants complete the licensing phase successfully - by now, only 70% of them have been granted electronic money and payment institution licences. During the licensing process, the Bank of Lithuania evaluates the company’s operating model, compliance with capital requirements, suitability of its managers and shareholders, internal control management, protection of customer interests, and conformity to anti-money laundering requirements. Electronic money and payment institution licences are issued only provided that no grounds for non-issuance specified in legislation are established.
The Bank of Lithuania takes all possible measures to verify the information submitted by licence applicants and collect any additional information. For instance, the Bank of Lithuania in all cases applies to law enforcement authorities (State Security Department, Special Investigation Service, Financial Crime Investigation Service, Information Technology and Communications Department under the Ministry of the Interior of the Republic of Lithuania), requesting to submit the available information on the company’s managers, shareholders and other relevant parties. If the assessed persons are not citizens of the Republic of Lithuania, the law enforcement authorities collect the relevant information from corresponding foreign institutions and submit it to the Bank of Lithuania. Moreover, shareholders are also subject to assessment by the Commission for Assessment of Conformity of Potential Participants to National Security Interests. If the person under assessment is affiliated with financial market participants licensed in other countries, the Bank of Lithuania applies to the corresponding foreign authorities, requesting to provide the available information.
The assessment covers not only shareholders’ reputation, but also their financial reliability, the origin of owned funds, close links with other persons and foreign countries whose legislation may hinder the effective supervision. The list of shareholders to be assessed includes legal persons and their managers, as well as natural persons, i.e. all shareholders, starting with those owing at least 10% of the applicant’s shares, ending with the final beneficiary (natural person). In case applicants are related to “tax havens”, additional attention is paid to the legality of the origin of their funds, as well as the potential effect of such circumstances on the licensed activities. Upon receipt of negative information on events related to the assessed persons, the Bank of Lithuania evaluates their participation in a particular event and concludes whether such behaviour gives rise to any material doubt about the person’s ability to ensure the sound and prudent management of the financial market participant.
All applicants related to high risk activities or planning to provide services to higher‑risk customers are subject to particular scrutiny – it is assessed whether their operational and risk management procedures are detailed, reliable and adequate to the nature, scope and complexity of its activities. Therefore, there are various business models entailing higher or lower risks and applicants must in all cases ensure adequate measures to manage the emerging threats. For example, provision of services to non-residents is not in itself an illegal activity. However, if the operating model is targeted at higher‑risk countries, the institution has to ensure appropriate measures to manage these risks. Similarly, when providing financial services to customers engaged in activities related to virtual currencies, institutions should ensure compliance with anti-money laundering and counter terrorist financing requirements, and take appropriate measures to manage this kind of risk.
With a change of its managers or shareholders, the licensed institution must in advance apply for the Bank of Lithuania’s approval of the candidacy of the new manager or prior permission to acquire shares. Institutions are also responsible for ensuring that their managers and shareholders always comply with legal requirements. Therefore, in case of a change in any significant circumstances that may affect the assessment results, the licensed undertakings must assess the changed situation and inform the Bank of Lithuania accordingly. The assessment carried out by the Bank of Lithuania is analogous to that performed during the licensing process. In case an institution fails to fulfil its obligation to notify the Bank of Lithuania on the changed circumstances, it is subject to certain sanctions.
Licensed electronic money and payment institutions are obliged to provide periodic reports or ad hoc notifications which, over a couple of years, have increased in number – along with financial and activity reports, institutions now also have to submit reports on anti-money laundering. Financial and activity reports help to evaluate growth patterns of the authorised undertakings as well as their compliance with the requirements on supervisory capital and protection of customer funds. On the basis of the information contained in the reports on operational risk incidents, the Bank of Lithuania may assess the market situation and events that have not been anticipated by institutions and which have, or are likely to have, a negative impact on the integrity, availability and continuity of payment-related services. Using the data provided in the reports for supervision of the implementation of money laundering prevention measures, the Bank of Lithuania collects aggregated statistics on the share of non-resident customers, foreign inflows and outflows, as well as data on financial products.
Information received from reports and other sources is used in planning further supervisory steps. If there is any indication that the institution’s market position has significantly changed or its risk appetite has increased, the Bank of Lithuania initiates an assessment on whether its risk management tools are adequate. In case of non-compliance to the set requirements, the central bank takes enforcement measures corresponding to the extent and significance of a particular violation. By June 2019, electronic money and payment institutions have been imposed 21 enforcement measures, including 3 licence withdrawals, 1 manager’s suspension, 6 fines and 11 warnings.
If a licensed electronic money or payment institution fails to commence its activities within 12 months, the Bank of Lithuania has the right to revoke its licence. Currently, nearly 30% of the undertakings that have been granted electronic money or payment institution licences have not yet started their operation, yet the absolute majority of them were authorised less than a year ago. Since most of the licensed institutions are still making their first steps and will need time to get up and running, the Bank of Lithuania has been monitoring and assessing their compliance with the requirements and obligations imposed during the licensing process as well as the statutory duty to commence activities within 12 months of authorisation.