[[#ex]]
Enhancement of corporate governance, internal control and compliance culture
In 2023, the Bank of Lithuania published its third Dear CEO Letter to heads of EMIs and PIs. It provides observations and recommendations related to licensing services provision, proper governance, equity requirements, risk management, client funds protection, and other relevant issues.
- Dear CEO letter (123.3 KB download icon)
In 2022, the Bank of Lithuania delivered specific proposals to payment service providers on how to improve customer service, accessibility of services and strengthen protection against fraud. The proposals were the result of the assessment of information on supervision of financial market participants, consumer complaints and disputes covering nearly two years.
- Dear CEO letter (197.2 KB download icon)
In 2022, the Bank of Lithuania published its second Dear CEO Letter to heads of EMIs and PIs. It provides observations and recommendations related to the provision of licensing services, risk management, safeguarding customer funds and other relevant issues. The Dear CEO Letter presents an overview of issues related to the implementation of business plans, provision of licensing services, change of business model, safeguarding of customer funds, internal audit and internal control, risk management (including money laundering and terrorist financing, information and communication technologies, and security) and reporting.
- Dear CEO letter (114.6 KB download icon)
In 2021, the Bank of Lithuania addressed representatives of the fintech sector, emphasised the requirements related to money laundering and terrorist financing risk management, equity capital, internal control, protection of customer funds, investigation of customer complaints, information and communication technology and security risk management, notification of the changes of managers and shareholders, reporting, data reliability, timely submission of reports and outsourcing.
- Dear CEO letter (125.3 KB download icon)
[[#ex]]
Deficiencies identified during inspections
The Bank of Lithuania imposed sanctions on financial market participants for breaches of requirements for safeguarding client funds and own funds requirements as well as non-compliance with internal audit requirements. Below are the fundamental deficiencies that we encourage all financial market participants to pay attention to.
[[#ex]]
Requirements for safeguarding client funds
The institution held in the same account not only client funds but also funds of partners (i.e. persons distributing and/or redeeming electronic money issued by the institution), which were allocated to the future card payments by institution’s clients. As required by the institution, partners held funds for the purpose of reducing settlement risk. The funds in question did not yet have the characteristics of electronic money (they were not intended for payment transactions). This means that the funds of the institution’s clients were not separated from the funds of other persons who were not holders of electronic money, therefore the institution violated the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions. Moreover, for some time, the institution had not regulated the process of safeguarding client funds at all, and subsequently internal documentation in this area had substantial deficiencies: not all provisions were aligned with the requirements for safeguarding client funds established by the legal acts of the Republic of Lithuania and/or corresponded to the specifics and organisational structure of the institution’s activities. According to the law, if one of the methods of safeguarding is chosen, client funds must be held in separate accounts with credit institutions.
Own funds requirements
The institution incorrectly calculated the own funds requirement under Method D, i.e. in the sample of the previous six months the institution included the days of the current month as well as the days when it had not yet issued electronic money and calculated the average of the six-month averages for each month but not the average of the six-month averages for each day, resulting in non-compliance with the own funds requirements, in addition to failure to ensure adequate internal control in this area. Using Method D, electronic money institutions have to calculate the own funds requirement on the basis of the average outstanding electronic money, i.e. the average total amount of financial liabilities of an electronic money institution related to electronic money issued at the end of each day during the last six months, calculated on the first day of each month and applicable for that month.
Requirements for the implementation of the internal audit function
The institution did not have a formally appointed internal auditor complying with the requirements laid down in subparagraph 9.4 of the Description of the Requirements for Electronic Money Institutions and Payment Institutions Concerning Governance Systems and Safeguarding of Received Funds approved by Resolution No 247 of the Board of the Bank of Lithuania of 30 December 2009 on the approval of the description of the requirements for electronic money institutions and payment institutions concerning governance systems and safeguarding of received funds, and no internal audit of the institution was carried out.
Failure to provide information to the Bank of Lithuania and/or submission of incorrect and inaccurate information
The information sent for supervisory purposes was inaccurate and was not provided in a timely manner, i.e. the institution submitted to the Bank of Lithuania the report on material changes in the requirements for the safeguarding of the funds of electronic money holders and/or payment service users (form EM008_12) concerning the agreement concluded with the credit institution X on 19 August 2022 to safeguard the funds of the institution’s clients only on 19 October 2022, thereby violating paragraph 141 of the Description of the Procedure for the Preparation of Financial and Activity Reports of Electronic Money and Payment Institutions for Supervisory Purposes and for the Submission of the Reports and Other Information to the Bank of Lithuania approved by Resolution No 03-259 of the Board of the Bank of Lithuania of 20 December 2018 on the approval of the description of the procedure for the preparation of financial and activity reports of electronic money and payment institutions for supervisory purposes and for the submission of the reports and other information to the Bank of Lithuania and on the approval of supervisory report forms. In addition, in the report on performance indicators and safeguarding of received funds (form EM008_05) for the reporting period of 30 September 2022, the institution unduly increased the amount of client funds to be safeguarded without deducting the funds paid by the institution during the last business day, thus providing incorrect information to the Bank of Lithuania and infringing subparagraph 21.1 of this Description.
[[#ex]]
Analyses and reports
[[#ex]]
Analysis of the implementation of internal control and governance arrangements reliability requirements
In carrying out the supervision of electronic money institutions (EMIs) and payment institutions (PIs), the Bank of Lithuania increasingly identifies deficiencies in the internal control, risk management and governance systems of the institutions during various inspections, documentary analyses and investigations. Therefore, as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, it has analysed the implementation of the reliability requirements of the internal control and governance system by EMIs and PIs. The analysis assessed the state of play in the EMI and PI sector, looked at the related issues, identified potential risks and presented recommendations for further action.
The summary of the analysis provides succinct examples of good practices and practices to be improved by EMIs and PIs in the implementation of the reliability requirements of the internal control, risk management and governance system laid down in Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning internal control, risk management and protection of received funds. The sample of the analysis consists of documents and information provided by 6 institutions (5 EMIs and 1 PI).
Analysis of the implementation of the reliability requirements of the internal control and governance arrangements of EMIs and PIs (151.7 KB download icon)
Analysis of internal audit function adequacy
When carrying out the supervision of EMIs and PIs through various inspections, documentary analyses and investigations, the Bank of Lithuania observes cases where the internal audit function is implemented inadequately or not put in place at all. Therefore, as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, it has analysed and assessed the compliance of selected EMIs and PIs with the requirements of the performance of the internal audit function.
The analysis involved an overview of the main deficiencies in the performance of the internal audit function in the EMI and PI sector, identification of potential risks associated with the inadequate performance of the function, overview of the related problems and recommendations for further action.
The summary of the analysis provides its results and examples of good practices and practices to be improved in the implementation of the requirements for internal audit set forth in Section 4 of the Description of the Requirements for Electronic Money Institutions and Payment Institutions Concerning Governance Systems and Protection of Received Funds approved by Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning governance systems and protection of received funds. The sample of the analysis consists of documents and information provided by 15 institutions (11 EMIs and 4 PIs).
Analysis of the adequacy of the internal audit function in EMIs and PIs (153.5 KB download icon)
Analysis of agreements concluded with credit institutions for custody of client funds
In carrying out the supervision of EMIs and payment institutions PIs and as part of one of its strategic directions, to enhance the maturity and compliance culture of the fintech sector, the Bank of Lithuania conducted a documentary analysis of the safekeeping agreements concluded by EMIs and PIs with credit institutions and assessed whether the provisions of the safekeeping agreements concluded by the EMIs and PIs with credit institutions ensure adequate and effective protection of customer funds in the course of the institutions’ operations or in the event of their insolvency, in accordance with Article 25 of the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions and Article 17 of the Republic of Lithuania Law on Payment Institutions.
The summary of the analysis provides brief information on the implementation of the requirements for the protection of customer funds by the institutions as laid down by Resolution No 03-106 of the Board of the Bank of Lithuania of 23 July 2020 on the requirements for electronic money and payment institutions concerning internal control, risk management and protection of received funds. The sample of the analysis consists of documents and information provided by 42 institutions (24 EMIs and 18 PIs).
Analysis of agreements concluded by EMIs and PIs with credit institutions for custody of client funds (168.3 KB download icon)
[[#ex]]