Bank of Lithuania

[[#ex]]

Consultations

In 2023, the Bank of Lithuania conducted an anonymous survey of EMIs and PIs, aimed at assessing whether their governance adheres to best practice principles. Here are the slides from the presentation of the survey results:

Application of the best practice principles in the governance (491.9 KB download icon)

Presentation on own funds requirements for payment institutions and electronic money institutions prepared in 2023:

Capital formation options for the EMI and PI sector (419.6 KB download icon)

A series of consultation events for payment institutions and electronic money institutions took place in 2023. Find the presentation here:

Prudential developments in electronic money and payment institutions (474.6 KB download icon

Issues in payment service provision (699 KB download icon)


Annual meetings with representatives of the EMI and PI sector

In 2024, the annual meeting of the representatives of the Bank of Lithuania and Electronic Money and Payment Institutions was held, where the strategy of the Bank of Lithuania for 2024-2026, the review of the EMI and PI sector for 2023, the priorities and emphasis of supervision for 2024 and the progress of the transformation of reporting data acceptance systems were presented.


Enhancement of corporate governance, internal control and compliance culture

With a view of facilitating cooperation and dialogue, in 2024, the Bank of Lithuania hereby applies to institutions intending to publicly offer or seek admission to trading of asset-referenced tokens (ART) or electronic money tokens (EMT) in the future, and draws the attention of the institutions to certain requirements of Regulation (EU) No 2023/1114 of the European Parliament and of the Council on markets in crypto-assets (hereinafter – MiCAR) and encourages the institutions to make timely preparations for the implementation of MiCAR.

In 2023, the Bank of Lithuania published its second Dear CEO Letter on "Improving the Provision of Payment Services and the Experience of Users of Payment Services" addressed to financial institutions. It draws attention to certain shortcomings in the performance of financial institutions and provides recommendations that the Bank of Lithuania believes will help improve the seamless provision and quality of payment services.

In 2023, the Bank of Lithuania has developed the Principles of Good Governance Practices for Electronic Money and Payment Institutions.

In 2023, the Bank of Lithuania published its third Dear CEO Letter to heads of EMIs and PIs. It provides observations and recommendations related to licensing services provision, proper governance, equity requirements, risk management, client funds protection, and other relevant issues.

In 2022, the Bank of Lithuania delivered specific proposals to payment service providers on how to improve customer service, accessibility of services and strengthen protection against fraud. The proposals were the result of the assessment of information on supervision of financial market participants, consumer complaints and disputes covering nearly two years.

In 2022, the Bank of Lithuania published its second Dear CEO Letter to heads of EMIs and PIs. It provides observations and recommendations related to the provision of licensing services, risk management, safeguarding customer funds and other relevant issues. The Dear CEO Letter presents an overview of issues related to the implementation of business plans, provision of licensing services, change of business model, safeguarding of customer funds, internal audit and internal control, risk management (including money laundering and terrorist financing, information and communication technologies, and security) and reporting.

In 2021, the Bank of Lithuania addressed representatives of the fintech sector, emphasised the requirements related to money laundering and terrorist financing risk management, equity capital, internal control, protection of customer funds, investigation of customer complaints, information and communication technology and security risk management, notification of the changes of managers and shareholders, reporting, data reliability, timely submission of reports and outsourcing.

[[#ex]]

Deficiencies identified during inspections

The Bank of Lithuania imposed sanctions on financial market participants for breaches of requirements for safeguarding client funds and own funds requirements as well as non-compliance with internal audit requirements. Below are the fundamental deficiencies that we encourage all financial market participants to pay attention to.

[[#ex]]

Requirements for the safeguarding of customer funds and internal controls in this area

The institution held in the same account not only client funds but also funds of partners (i.e. persons distributing and/or redeeming electronic money issued by the institution), which were allocated to the future card payments by institution’s clients. As required by the institution, partners held funds for the purpose of reducing settlement risk. The funds in question did not yet have the characteristics of electronic money (they were not intended for payment transactions). This means that the funds of the institution’s clients were not separated from the funds of other persons who were not holders of electronic money, therefore the institution violated the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions. Moreover, for some time, the institution had not regulated the process of safeguarding client funds at all, and subsequently internal documentation in this area had substantial deficiencies: not all provisions were aligned with the requirements for safeguarding client funds established by the legal acts of the Republic of Lithuania and/or corresponded to the specifics and organisational structure of the institution’s activities. According to the law, if one of the methods of safeguarding is chosen, client funds must be held in separate accounts with credit institutions.

The institution’s controls over the safeguarding of customer funds were not separated from other group companies and were carried out on a group-wide basis. The outsourcing contract did not clearly and comprehensively identify the activities and tasks delegated to the group companies for the control of the requirements for safeguarding of customer funds and the organisational chart of the institution did not clearly indicate that some of the staff members identified in the chart are employed by the group and perform functions under the outsourcing contract, i.e. it did not indicate that an operational function had been delegated and did not indicate the name of the company in which they are employed.

The institution had not segregated the funds of one of its customers, who is a registered intermediary of the institution, but received and held them in a special account for the company of the group to which the institution belongs. This infringement was identified by the institution and registered in the incident register, but it continued for more than six months and the institution did not take appropriate internal controls to resolve it in a timely manner, such as failing to notify in time the responsible person designated under the internal documents, who was obliged to inform the head of the institution. The incident was also not reported to the Management Board, which did not take the necessary and timely decisions to ensure that the customer funds were adequately safeguarded. It should be concluded that the decision to continue the infringement was taken by the institution’s controlling officers, i.e. the amount needed to protect the customer funds was not immediately transferred to the institution’s special account for customer funds. It was also determined that the institution had not adopted internal documents establishing the process for the safeguarding of funds of electronic money holders and/or payment service users, the procedures for the accounting of such funds and the procedures for the internal control of such funds.

The inspection revealed that the institution, together with another company of the group to which the institution belongs, which is an electronic money institution, provides payment services to its customers using payment card payment schemes (VISA/MasterCard). The institution provides/issues cards to its customers and the group company has the status of the principal member of the VISA/MasterCard scheme. As a participant in the VISA/MasterCard scheme, it is obliged to reserve funds in the bank accounts specified in the contracts with VISA/MasterCard. Under informal arrangements, the institution also formed part of the reserves in accordance with the proportions of transactions of customers who received services through the VISA/MasterCard systems. The cooperation between the institution and the group company was not formalised in law during the period under review, i.e. there were no cooperation agreements signed between the institution and the group company in this area, the principles of cooperation between the parties were not established, the responsibilities of the parties were not defined, the conditions for the provision of services to the institution’s customers, the grounds for the receipt and use of funds of the institution’s customers, the restrictions, controls and other aspects of the cooperation were not laid down. The institution transferred part of its customer funds to accounts belonging to another legal entity without ensuring their protection and without any legal basis for doing so. The institution indicated that the process of building up the institution’s share of the reserves was as follows: the institution’s customers transferred their own funds to the institution’s operational accounts, and the institution transferred these funds to the group company’s accounts for the purpose of building up the VISA/MasterCard system reserves. The inspection revealed that, in the case of one of the institution’s customers (and intermediary), a different practice was followed: the customer transferred funds to the institution’s customer funds account with a credit institution, the institution treated these funds as an amount to be safeguarded and, in turn, made periodic transfers directly to the group company’s account with the bank for the purpose of building up the reserves under the MasterCard system participant’s obligations. Thus, the institution did not use its own funds to cover the obligations of the other group company under the latter’s contractual relationship with MasterCard, but used its customer funds to be safeguarded. In the light of these circumstances, whereby the institution received funds from one of its customers, held them in another electronic money institution and failed to safeguard them properly, i.e. the institution failed to safeguard a significant part of the customer funds to be safeguarded, and also used part of the funds of its own customers to create reserves in the accounts of the other electronic money institution, without any legal basis for doing so, in order to secure the obligations of the other company in respect of its contractual relationship with the latter.


Equity capital requirements and internal controls in this area

The institution incorrectly calculated the own funds requirement under Method D, i.e. in the sample of the previous six months the institution included the days of the current month as well as the days when it had not yet issued electronic money and calculated the average of the six-month averages for each month but not the average of the six-month averages for each day, resulting in non-compliance with the own funds requirements, in addition to failure to ensure adequate internal control in this area. Using Method D, electronic money institutions have to calculate the own funds requirement on the basis of the average outstanding electronic money, i.e. the average total amount of financial liabilities of an electronic money institution related to electronic money issued at the end of each day during the last six months, calculated on the first day of each month and applicable for that month.

The capital calculation process was not regulated in the institution and the efforts of the CFO in another country and the institution’s accounting partner in Lithuania were not sufficient to ensure proper internal control of the process, and the persons employed by the institution were not involved in the management of the process in any way. The inadequate internal control of the process resulted in the equity capital requirement being calculated in accordance with paragraph 13 of the Regulations for the Calculation of Own Funds of Electronic Money Institutions and Payment Institutions approved by Resolution No 03-83 of 24 May 2018 of the Board of the Bank of Lithuania On the Approval of the Regulations for the Calculation of Own Funds of Electronic Money Institutions and Payment Institutions and the Forms of Reports on the Calculation of Initial Capital and Own Funds of Electronic Money Institutions (Payment Institutions) and that the information related to the institution’s own funds used within the institution and provided to the supervisory authority in the respective reports is reliable and appropriate, and the activities of the institution comply with the requirements of the legislation.


Governance arrangements

By failing to clearly designate a supervisory body and to define its functions in its internal documents, the institution has failed to ensure clear and reliable governance arrangements.

By appointing a person performing control functions (risk management and/or compliance with the requirements for safeguarding of customer funds) and a member of the Management Board of the institution, the institution did not establish procedures for the management of conflicts of interest, did not manage the risks arising from conflicts of interest, did not ensure that the member of the Management Board would not be involved in the decision-making process related to the relevant control function he/she performs as stated in subparagraph 9.4 of the Description of Requirements for Electronic Money Institutions and Payment Institutions regarding the Governance Arrangements and Safeguarding of Received Funds approved by Resolution No 247 of 30 December 2009 of the Board of the Bank of Lithuania On Approval of the Description of Requirements for Electronic Money Institutions and Payment Institutions regarding the Governance Arrangements and Safeguarding of Received Funds.


Requirements for the implementation of the internal audit function

The institution did not have a formally appointed internal auditor complying with the requirements laid down in subparagraph 9.4 of the Description of the Requirements for Electronic Money Institutions and Payment Institutions Concerning Governance Systems and Safeguarding of Received Funds approved by Resolution No 247 of the Board of the Bank of Lithuania of 30 December 2009 on the approval of the description of the requirements for electronic money institutions and payment institutions concerning governance systems and safeguarding of received funds, and no internal audit of the institution was carried out.


Failure to provide information to the Bank of Lithuania and/or submission of incorrect and inaccurate information

The information sent for supervisory purposes was inaccurate and was not provided in a timely manner, i.e. the institution submitted to the Bank of Lithuania the report on material changes in the requirements for the safeguarding of the funds of electronic money holders and/or payment service users (form EM008_12) concerning the agreement concluded with the credit institution X on 19 August 2022 to safeguard the funds of the institution’s clients only on 19 October 2022, thereby violating paragraph 141 of the Description of the Procedure for the Preparation of Financial and Activity Reports of Electronic Money and Payment Institutions for Supervisory Purposes and for the Submission of the Reports and Other Information to the Bank of Lithuania approved by Resolution No 03-259 of the Board of the Bank of Lithuania of 20 December 2018 on the approval of the description of the procedure for the preparation of financial and activity reports of electronic money and payment institutions for supervisory purposes and for the submission of the reports and other information to the Bank of Lithuania and on the approval of supervisory report forms. In addition, in the report on performance indicators and safeguarding of received funds (form EM008_05) for the reporting period of 30 September 2022, the institution unduly increased the amount of client funds to be safeguarded without deducting the funds paid by the institution during the last business day, thus providing incorrect information to the Bank of Lithuania and infringing subparagraph 21.1 of this Description.

[[#ex]]

Analyses and reports

[[#ex]]

Analysis of the implementation of internal control and governance arrangements reliability requirements

In carrying out the supervision of electronic money institutions (EMIs) and payment institutions (PIs), the Bank of Lithuania increasingly identifies deficiencies in the internal control, risk management and governance systems of the institutions during various inspections, documentary analyses and investigations. Therefore, as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, it has analysed the implementation of the reliability requirements of the internal control and governance system by EMIs and PIs. The analysis assessed the state of play in the EMI and PI sector, looked at the related issues, identified potential risks and presented recommendations for further action.

The summary of the analysis provides succinct examples of good practices and practices to be improved by EMIs and PIs in the implementation of the reliability requirements of the internal control, risk management and governance system laid down in Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning internal control, risk management and protection of received funds. The sample of the analysis consists of documents and information provided by 6 institutions (5 EMIs and 1 PI).

Analysis of the implementation of the reliability requirements of the internal control and governance arrangements of EMIs and PIs (151.7 KB download icon)


Analysis of internal audit function adequacy

When carrying out the supervision of EMIs and PIs through various inspections, documentary analyses and investigations, the Bank of Lithuania observes cases where the internal audit function is implemented inadequately or not put in place at all. Therefore, as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, it has analysed and assessed the compliance of selected EMIs and PIs with the requirements of the performance of the internal audit function.

The analysis involved an overview of the main deficiencies in the performance of the internal audit function in the EMI and PI sector, identification of potential risks associated with the inadequate performance of the function, overview of the related problems and recommendations for further action.

The summary of the analysis provides its results and examples of good practices and practices to be improved in the implementation of the requirements for internal audit set forth in Section 4 of the Description of the Requirements for Electronic Money Institutions and Payment Institutions Concerning Governance Systems and Protection of Received Funds approved by Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning governance systems and protection of received funds. The sample of the analysis consists of documents and information provided by 15 institutions (11 EMIs and 4 PIs).

Analysis of the adequacy of the internal audit function in EMIs and PIs (153.5 KB download icon)


Analysis of agreements concluded with credit institutions for custody of client funds

In carrying out the supervision of EMIs and payment institutions PIs and as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, the Bank of Lithuania conducted a documentary analysis of the safekeeping agreements concluded by EMIs and PIs with credit institutions and assessed whether the provisions of the safekeeping agreements concluded by the EMIs and PIs with credit institutions ensure adequate and effective protection of customer funds in the course of the institutions’ operations or in the event of their insolvency, in accordance with Article 25 of the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions and Article 17 of the Republic of Lithuania Law on Payment Institutions.

The summary of the analysis provides brief information on the implementation of the requirements for the protection of customer funds by the institutions as laid down by Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning internal control, risk management and protection of received funds. The sample of the analysis consists of documents and information provided by 42 institutions (24 EMIs and 18 PIs).

Analysis of agreements concluded by EMIs and PIs with credit institutions for custody of client funds (168.3 KB download icon)

[[#ex]]

Last update: 24-05-2024