The first-year supervisory interactions are formative. The patterns we've seen across 24 EMI engagements.
The first year of EMI supervision
The Bank of Lithuania’s supervisory approach for newly licensed EMIs involves an initial on-site inspection within 6–12 months of licence grant. The inspection is structured around three areas: AML/CFT programme implementation, capital adequacy and client funds safeguarding, and governance and outsourcing arrangements. The BoL’s inspectors are technically proficient and have reviewed enough EMI operations to immediately distinguish between programmes that have been genuinely implemented and those that exist as documents but have not translated into operational practice.
The majority of findings from first-year inspections fall into two categories: alert-triage backlog management (the EMI is generating more alerts than its compliance team can clear within policy timelines), and documentation gaps in customer risk re-rating (the EMI has not re-assessed customer risk profiles against the criteria it committed to in its risk methodology). Both are addressable. Neither is treated as a critical finding on first occurrence, provided the EMI can demonstrate a credible remediation plan within 30 days of the inspection report.
AML programme scrutiny
Inspectors review AML programme implementation in detail: the customer risk methodology as written vs. as applied; the alert-triage process (timeline from alert generation to case closure, and whether that is within the policy commitment); the STR/CTR filing record (are filings being made within the required 3 business day window with narratives that reflect genuine analysis?); and the transaction monitoring rule set (have rules been calibrated against actual transaction patterns, or are they generic templates generating excessive false positives?).
The BoL has been particularly focused on customer risk re-rating — the process by which customers move from low to medium to high risk as their transaction patterns evolve. EMIs that conduct initial KYC rigorously but then do not re-assess customer risk profiles at defined intervals are consistently flagged. The policy commitment is typically “annual review for low-risk customers, quarterly for high-risk” — inspectors check whether those reviews are happening and documented.
The BoL inspectors know exactly what a genuine AML programme looks like and what a template looks like. The programmes that pass inspection are the ones where the compliance team can answer specific questions about specific customers and transactions — not just point to a policy document.GSS Legal — EMI and compliance practice
Capital adequacy and client funds safeguarding
Lithuania’s EMI capital requirement is the higher of EUR 350,000 or a method-based calculation using payment volume. What inspectors examine is not just whether the capital exists, but whether it is held in qualifying instruments and whether quarterly capital adequacy reports filed with the BoL reflect the actual calculation correctly. Client funds safeguarding — holding customer funds in a safeguarded bank account or invested in secure liquid assets — is an area of frequent findings. The common failures: commingling of operational and safeguarded funds; safeguarding account held at a bank whose credit quality does not meet BoL expectations; and safeguarding coverage gaps during intraday settlement windows.
Outsourcing and governance
Almost every EMI outsources significant operational functions — technology, compliance, MLRO support, sometimes customer service. The BoL’s outsourcing requirements under PSD2 and the EBA Guidelines require material outsourcing arrangements to be documented in written agreements including the right to audit, and subject to a formal vendor risk assessment. The inspection looks at whether the outsourcing register is current, whether vendor risk assessments have been conducted in the prior 12 months, and whether right-to-audit provisions have been exercised or are credibly exercisable.
Regulatory reporting
Lithuanian EMIs must file: quarterly capital adequacy reports, quarterly payment statistics, annual accounts, and ad hoc notifications for significant events. Late or inaccurate filings are a consistent source of minor findings. The most common failure is the quarterly payment statistics report, which requires more granular data than most EMIs’ reporting systems produce natively — typically either late or inaccurate in year one as the reporting infrastructure catches up.
Patterns across 24 engagements
Across our 24 EMI engagements through first-year supervision, the average finding count at first inspection is 3.2, with zero critical findings. The consistently recurring medium-severity findings: alert-triage backlog (16 of 24 engagements), documentation gaps in customer risk re-rating (14 of 24), and outsourcing register gaps (9 of 24). The consistently clean areas: capital adequacy calculation (2 of 24 had findings), ownership and governance structure (1 of 24), and STR/CTR filing timeliness (3 of 24). The pattern suggests where to invest pre-inspection preparation: alert management infrastructure and customer risk re-rating discipline are the two highest-return areas.
