Lithuania EMI licence requirements in practice

If you are planning EU-wide payments from day one, Lithuania is usually on the shortlist for a reason - it offers a credible regulator, an established fintech ecosystem, and a route to passporting once authorised. But the same features that make it attractive also make it unforgiving: the Bank of Lithuania expects real substance, not a slide deck and a nominee director.

This is a practical explanation of Lithuania EMI licence requirements as they work in real projects - what you must evidence, where applications fail, and what to decide before you spend money on buildout.

What an EMI licence in Lithuania actually allows

An Electronic Money Institution (EMI) authorisation lets you issue electronic money and provide payment services under PSD2 (such as card acquiring, money remittance, payment initiation, and account information - depending on your permissions). In commercial terms, it is the difference between being a regulated principal and being dependent on an agent, a sponsor bank, or an EMI-as-a-service provider.

That independence comes with heavy obligations: safeguarding client funds, running an AML/CTF framework that works in practice, handling complaints and operational incidents, and maintaining governance that the regulator can rely on.

The two routes: EMI vs smaller institutions

Lithuania offers different regulatory routes depending on your business model and ambitions. If you need cross-border scale, you are typically looking at a full EMI licence. If your volumes and geography are limited, there may be a lighter route (for example, a small EMI regime) but it restricts activities and usually does not deliver the same commercial outcome for fast-growing fintechs.

The trade-off is simple. Full authorisation takes more time and costs more to build properly, but it is bankable and scalable. Lighter regimes can be quicker, yet they often become a bottleneck when you want serious partnerships, card programmes, or institutional banking.

Capital requirements: plan for more than the minimum

For a full EMI, the initial capital requirement is typically EUR 350,000. That figure is not the whole story.

The Bank of Lithuania will assess whether your own funds are adequate for the risk profile and projected activity. If your forecasts imply rapid growth, high transaction values, higher-risk corridors, or complex products (for example, multi-currency accounts, crypto-adjacent flows, or marketplace models), you should expect deeper questions on capital planning, liquidity, and runway.

A common mistake is treating capital as a box-tick. In practice, you need to show where it comes from, that it is clean (source of funds), that it is available, and that the group structure does not create hidden leverage or control risk.

Substance and governance: the regulator wants an operator, not a shell

Lithuania does not licence “ideas”. It licences operational institutions.

You should be ready to evidence local substance: decision-making in Lithuania, clear reporting lines, and an organisational chart that matches your risk and volumes. Outsourcing is permitted, but it must be controlled. If your whole operation is outsourced and your Lithuanian entity cannot explain, monitor, and challenge the provider, you will struggle.

Management and supervisory expectations

Expect scrutiny on the fitness and propriety of key individuals. The regulator will look for relevant payments experience, regulatory maturity, and realistic time commitment. If you propose a board or management team that is impressive on paper but unavailable day-to-day, it reads as governance theatre.

You also need a credible compliance function. That typically includes a Money Laundering Reporting Officer (MLRO) and compliance leadership with practical implementation background. In payments, the regulator will test whether compliance can say “no” to the business and whether it has the tools, access, and authority to enforce controls.

Internal control functions

Risk management, compliance, and internal audit (whether in-house or appropriately outsourced) must exist as real functions. The more complex your model, the less tolerance there is for part-time or nominal appointments.

Safeguarding client funds: the core licensing pillar

Safeguarding is often where fintech founders underestimate the operational detail. An EMI must protect customers’ funds received in exchange for e-money or for executing payment transactions. The usual mechanisms are segregation in dedicated accounts with credit institutions and/or insurance or comparable guarantees.

The regulator will expect a safeguarding policy that is more than a document. You need a process: when funds become safeguarded, how reconciliations are done, who reviews them, what happens on weekends and holidays, and how you handle chargebacks, refunds, and disputes.

Banking also matters. Even a perfectly drafted safeguarding policy will not satisfy the market if you cannot secure appropriate accounts. For many applicants, the critical path is aligning the application, the safeguarding approach, and the banking strategy so they do not contradict each other.

AML/CTF requirements: show your controls working end-to-end

Lithuania is not a jurisdiction where a generic AML manual survives review. Your AML/CTF framework must be tailored to your product, customer types, geographies, delivery channels, and transaction patterns.

You should expect to provide a business-wide risk assessment and demonstrate how it drives controls: onboarding checks, customer risk scoring, enhanced due diligence triggers, sanctions screening logic, transaction monitoring scenarios, and suspicious activity reporting. If you operate higher-risk corridors or serve non-resident customers, anticipate deeper questioning on how you mitigate risk without simply “de-risking” legitimate users.

The operational expectation is that you can evidence a full AML lifecycle. It is not enough to say you will use a vendor tool. You must show who tunes the rules, who reviews alerts, what your SLAs are, how you evidence decisions, and how management oversight works.

IT, security, and operational resilience: increasingly decisive

EMIs are technology businesses with a banking-grade threat model. The licensing file will typically need a coherent IT and security pack: architecture overview, access management, change control, incident management, logging and monitoring, and business continuity.

EU-wide expectations on ICT risk and operational resilience are rising, including under DORA. Even if timelines vary by entity type and national implementation, the market is already pricing in higher expectations from banks, card schemes, and counterparties. If your controls are weak, it becomes a commercial problem long before it becomes an enforcement problem.

Outsourcing: allowed, but you must remain in control

Most EMI applicants use third parties for KYC, screening, transaction monitoring tooling, card processing, cloud hosting, customer support, or even parts of finance operations. Lithuania can accept this, but only with strong governance.

You will need outsourcing registers, due diligence records, written agreements with proper audit and access rights, clear KPIs, and contingency plans. The regulator will be focused on concentration risk (one provider running too much of the stack), location risk (where data and processing happen), and exit feasibility (how you will migrate without harming customers).

The documentation package: what “complete” looks like

A credible EMI application is not a pile of templates. It is a consistent set of documents that match the business model, the financial forecast, and the operational plan.

At minimum, expect to prepare a detailed programme of operations, a multi-year business plan with financial projections and assumptions, governance documents, AML/CTF policies and risk assessment, safeguarding policy, complaints handling, risk management framework, IT/security and continuity documentation, outsourcing arrangements, and evidence supporting the fitness and propriety of key persons.

Consistency is where applications often fail. If your programme of operations says one thing, your AML risk assessment assumes a different customer base, and your forecast implies a third reality, the regulator will push back hard - and you lose time.

Typical rejection and delay triggers

Licensing timelines are most often blown up by predictable issues.

First, governance that does not match the business. That includes weak local substance, unclear responsibility split between group entities, and key persons without the depth to run a regulated payments institution.

Second, an AML approach that is not operationalised. If you cannot show alert handling, case management, escalation, and management information, you will be treated as unready.

Third, safeguarding and funds flows that are not properly mapped. The regulator will ask you to explain how money moves through your system. If your answer requires guessing, it is too early to file.

Fourth, outsourcing that makes you look like an empty vehicle. If you outsource core activities, you must show you can monitor and control providers, and that you have the internal competence to do so.

Build from scratch vs ready-made EMI vehicle

Your route to market depends on your timeline, investor pressure, and banking realities.

Building from scratch gives you full design control and often a cleaner story to the regulator, but it takes time to recruit, document, implement, and iterate through questions. Buying a ready-made structure can reduce set-up time if the vehicle is genuinely compliant, properly maintained, and aligned to your business model. The risk is buying paperwork without operational integrity - which can create more regulatory friction than starting fresh.

If speed matters, you still need to do proper due diligence: corporate history, regulator interactions, policies and controls, staffing, contracts, and whether the licence scope actually fits your intended services.

What to do before you start spending

Before you draft anything, lock down three decisions.

First, define your product and permissions precisely. “Payments” is not a scope. Acquiring, issuing, wallets, IBAN accounts, FX, and remittance each drive different risk and safeguarding mechanics.

Second, map your funds flows and outsourcing model. If you cannot draw your operating model in a way that a regulator and a bank both understand, your application is not ready.

Third, recruit the core control functions early. A good MLRO and compliance lead will save months by preventing misaligned design choices.

For teams that want an execution partner that can build the compliance framework, align providers, and run the application end-to-end without tiered packages or hidden fees, NUR Legal typically supports clients from jurisdiction selection through to regulator-facing delivery and operational readiness.

A strong Lithuania EMI application is not about sounding confident. It is about proving you can run a controlled institution on day one, and still be standing when transaction volumes and regulatory expectations both climb.