The Bank of Lithuania issued the guidelines for those who intend to apply for electronic money institution (EMI) or Payment institution (PI) licence.
It is important to pay attention to the following remarks before submitting an application for EMI or PI licence to the Bank of Lithuania:
- To include in application a clear and detailed explanation of how you intend to implement requirements concerning the open API (Application Programming Interface).
– Get sufficient understanding of legal and functional requirements.
– Decide whether you will develop an API by your own efforts or you will acquire it from the third parties.
– Place the testing facility and make the technical documentation available on your website.
– Provide the dedicated interface.
- To check whether you are providing your financial projections in line with the established and relevant form.
- To check if 3 year financial projections provided are broken down in quarters and whether they reflect in detail the planned income, expenditure and capital approaches of the institution.
- To check whether you have included in your application dossier documents (e.g. an agreement or a draft agreement with a credit institution).
– If you cannot provide signed agreement with credit institution, you should provide written “obligation letter” that before starting to provide licensed financial services to the Bank of Lithuania a copy of an agreement with credit institution.
- To make sure that your designated manager is able to properly respond to changes to the operations of the institution and will ensure efficient communication with the Bank of Lithuania in the official language.
- To make sure that, as soon as you are granted the licence, you have the required specialists responsible for compliance and AML (anti-money laundering). The bank of Lithuania recommends that when applying for a licence, you already identified employees responsible for:
– The fulfilment of the compliance task;
– The fulfilment of requirements concerning prevention of money laundering and terrorism financing.
- To check whether the proposed business plan is comprehensive and is not limited to standard statements from laws or business textbooks:
– specify the target audience.
– specify the organisational and management structure.
– describe in detail the competitive position of the institution.
– detail all the circumstances why the institution expects its operation to be successful.
– indicate all the advantages of the institution.
- If you intend to provide account information or payment initiation services only and, to ensure protection of customer funds, you will choose professional indemnity insurance, check whether you have included in your application dossier an insurance agreement or its draft.
- To check whether you are providing a report on the assessment of operational and security risks. The Bank of Lithuania recommends that the operational and security risk assessment is provided in the form of a table which should contain the following information:
– operational and security threats;
– evaluation of the probability, business impact and risk of these threats;
– next to each threat, specific technical (or organisational) measures that will be applied to reduce the risk of the identified threat;
– the established acceptable risk level.
- To check whether your have included in your application dossier information on best practices or international security standards that you will apply to ensure information, IT and cyber security.
- To check whether you have clarified in your application documents the customer authentication measures that you will use for customer access to consultations and operation performance, also for all underlying payment instruments.
- To make sure that the controls described ensure adequate protection of sensitive payment data.
- To check whether you have clearly indicated the information security controls that are applied in different areas within the institution (for staff and asset management, logical access, data encryption, physical security, management of IT operations, communication security, system development and support, relations with third party service providers, compliance and independent IT security reviews).
- To check whether risk assessment of the institution’s activities is comprehensive and detailed, considering the envisaged extent and nature of activities, also customers, activity-specific factors and risks (e.g. concerning customers, services, the channel for providing services, geography).
- To make sure that, in view of the risk assessment of the institution, you have provided a comprehensive description of controls.
- To check whether documents and internal rules provided do not contain any inconsistencies.
- To check whether, when describing the institution’s suspicious transaction monitoring scenarios, you have specified which of the scenarios will be implemented when monitoring the business relationship or operations of customers.
- To make sure that your draft payment service agreements are in line with the requirements of the Republic of Lithuania Law on Payments.
You should check if:
– you have provided definitions of all the terms used in the agreement;
– you have provided an accurate and full information on the procedure for bringing complaints and disputes before the Bank of Lithuania.
Source: Bank of Lithuania
If you would like to obtain Electronic money institution or payment institution licence in Lithuania please contact us.
To familiarize yourself with licensing process please click here.