How to Prepare for a Bank of Lithuania Inspection

The Bank of Lithuania (Lietuvos bankas) serves as the prudential and AML/CFT supervisor for financial market participants in Lithuania, including banks, electronic money institutions (EMIs), payment institutions (PIs), investment firms, insurance companies, credit unions, crowdfunding platforms, and crypto-asset service providers (CASPs) under MiCA. If your institution receives a Bank of Lithuania inspection notice, how you respond in the critical first weeks will significantly influence the inspection outcome, potential findings, and enforcement actions.

In this post, we'll outline the practical mechanics of Bank of Lithuania inspections, common pitfalls that lead to serious findings, and actionable steps to prepare effectively and minimize regulatory risk.

What is the Bank of Lithuania's Supervisory Role?

The Bank of Lithuania (BoL) supervises financial market participants under multiple legal frameworks:

• Prudential supervision – capital adequacy, liquidity, governance, risk management

• AML/CFT supervision – compliance with the Law on the Prevention of Money Laundering and Terrorist Financing (PPTFPĮ) and BoL's AML instructions (Decision No. 03-17)

• Conduct supervision – consumer protection, fair dealing, marketing standards

How Bank of Lithuania Inspections Work: The Practical Flow

1. Planning and Scope

Each year, BoL publishes an annual inspection plan listing institutions scheduled for planned inspections. For example:

• 2026 plan: Approximately 20 inspections and visits focusing on AML/CFT, internal control, IT/cyber risk, credit risk, and sanctions

• 2025 plan: Up to 30 inspections with emphasis on AML/CFT, risk management, and governance

Institutions are selected based on:

• Sectoral risk (fintech/EMIs historically higher)

• Portfolio characteristics (cross-border, high-risk geographies, crypto exposure)

• Off-site monitoring signals (rapid growth, STR volumes, licensing breaches)

• Past inspection findings or enforcement actions

• Thematic priorities (e.g., sanctions implementation post-Ukraine, crypto AML under MiCA)

BoL also conducts unplanned inspections triggered by adverse events, serious breach suspicions, or market intelligence.

Inspection types include:

• Full-scope – comprehensive review of multiple areas

• Thematic/horizontal – focused on one topic (e.g., sanctions screening) across multiple firms

• Targeted – specific concern or follow-up on past findings

• On-site vs off-site – BoL may conduct entirely desk-based reviews or combine with fieldwork

2. Notice and Initial Information Request

When selected, you receive:

• Formal inspection notice – specifying scope (e.g., "AML/CFT compliance," "governance and internal control," "sanctions implementation"), legal basis (BoL Decision 03-188 on inspection procedures), inspection team, expected start date, and duration

• Standardized information request including:

  • All AML policies, procedures, business-wide ML/TF risk assessment (BWRA)

  • Organizational charts, board and management responsibilities, MLRO/compliance function documentation

  • Customer portfolio analytics (breakdown by risk category, geography, product, sector, PEP count)

  • Transaction data extracts for a defined period (typically 6-12 months)

  • List of high-risk customers, PEPs, terminated relationships, EDD files

  • STR/CTR statistics with underlying investigations and decision logs

  • Sanctions screening process documentation, hit logs, false positive handling

  • Training records, internal audit reports, independent AML reviews

  • IT systems documentation (transaction monitoring, sanctions screening tools)

BoL publishes standard AML inspection templates that supervised entities receive with the notice, ensuring consistent data submission across the market.

Critical point: BoL expects structured, complete, and internally consistent responses. Late, incomplete, or chaotic submissions immediately signal control weaknesses.

3. Off-Site Review

Before (or instead of) on-site work, BoL inspection teams:

• Policy and procedure review – compare your framework against:

  • PPTFPĮ requirements

  • BoL Decision 03-17 (AML instructions for financial market participants)

  • BoL supervisory policies and past guidance

  • EBA guidelines and FATF standards where applicable

• Data analysis – identify outliers and risk signals:

  • High-risk geographies, products, or customer segments

  • Unusual transaction patterns or spikes

  • STR/CTR volumes vs portfolio risk (disproportionately low reporting is a red flag)

• Sample selection – pre-select customers and transactions for detailed file review:

  • High-risk customers, PEPs, complex ownership structures

  • Third-country clients (especially non-EU/EEA, higher-risk jurisdictions)

  • Crypto/VASP clients, financial institutions as clients, gambling clients

  • Large transactions, unusual patterns flagged by monitoring

At this stage, examiners form preliminary hypotheses about your control gaps, which guide on-site work.

4. On-Site / Remote Fieldwork

During the inspection (physical presence or remote via secure channels):

Opening meeting:

• Your management presents business model, risk appetite, AML governance, recent improvements

• BoL team outlines expectations, timeline, and key areas of focus

Interviews:

• Board and senior management – understanding of ML/TF/sanctions risks, risk appetite statements, oversight evidence

• MLRO/compliance function – operational walk-throughs of CDD/EDD, ongoing monitoring, STR decision-making, sanctions screening, risk assessment methodology

• Operations/IT – systems functionality, data quality, scenario tuning governance, sanctions list updates, alert investigation processes

File reviews:

• Pre-selected customer files examined in detail:

  • Identity verification and beneficial ownership (BO) identification/verification

  • Risk scoring methodology and rationale

  • Enhanced due diligence (EDD) for high-risk customers: source of wealth/funds, business rationale, ongoing monitoring evidence

  • Periodic review documentation and updates

  • PEP screening results and enhanced measures

  • Sanctions screening hits and investigation outcomes

• Transaction monitoring review:

  • Scenario logic, thresholds, data coverage

  • Alert generation, investigation quality, escalation, STR filing decisions

  • Governance of scenario tuning and threshold changes (board/committee approval, independent validation)

• Sanctions implementation:

  • Screening process (onboarding, ongoing, transaction-level)

  • List sources and update frequency

  • Hit management and false positive reduction

  • Compliance with EU/UN restrictive measures

What BoL looks for: Not perfection, but evidence of a proportionate, risk-based, and genuinely embedded AML/sanctions framework. "Tick-box" compliance, superficial controls, or policies not aligned with actual practice are heavily penalized.

5. Draft Findings and Final Report

After fieldwork:

• BoL drafts findings classified by severity (observations, deficiencies, material weaknesses, critical issues)

• Draft report sent to you for factual corrections and management response

• Final report issued with:

  • Detailed findings and required remedial actions with deadlines

  • Decision by BoL's Finance Market Supervision Committee (FMPK) on enforcement actions:

    • Formal warning

    • Binding action plan (often including independent review requirement)

    • Administrative fine

    • Restrictions on business activities (e.g., restrictions on onboarding high-risk clients, geographic restrictions)

    • Licence suspension or revocation (extreme cases)

BoL publishes high-level summaries of FMPK decisions on its website under "Finansų rinkos priežiūros komiteto sprendimai" and issues press releases for significant AML sanctions. Individual enforcement actions are not always fully public, but major cases are disclosed.

Recent BoL AML enforcement examples:

• Monavate (EMI): 270,000 EUR fine (2025) for AML and safeguarding/control deficiencies

• TransferGo Lithuania (EMI): 310,000 EUR fine (2023) for CDD/EDD, monitoring, STR, internal control breaches

• AB Mano bankas: 165,000 EUR fine (2022) for AML and sanctions control weaknesses

• Verse Payments Lithuania (EMI): 280,000 EUR fine (2023) for "serious and systemic" AML breaches

• Paysera LT (EMI): 370,000 EUR fine (later reduced by court to 200,000 EUR) for multiple AML deficiencies

Based on BoL enforcement patterns and market experience, three failure modes are most damaging:

1. Chaotic or Incomplete Response to Initial Request

• No clear inspection lead or governance structure

• Multiple departments replying inconsistently with conflicting data

• Policy and procedure documents in mixed, unsynchronized versions

• Customer and transaction data extracts incomplete, incorrectly formatted, or missing key fields (risk category, BO identification status, country codes)

• Late submissions requiring extensions or follow-up requests

2. Last-Minute Policy Overhauls

• Discovering AML framework is outdated, generic, or misaligned after receiving notice

• Rushing to rewrite policies, procedures, and risk assessments during inspection period

• BoL easily detects this through:

  • Document metadata and effective dates

  • Board minutes showing no prior discussion or approval of "updated" framework

  • Practices in customer files that contradict "new" procedures

Why it matters: This signals governance failure and potential attempt to mislead supervisors. Often results in harsher findings than transparently disclosing historical weaknesses and showing a credible improvement path.

3. Weak Business-Wide Risk Assessment

The mistake:

• ML/TF risk assessment is generic, template-driven, or clearly outsourced without customization

• Does not reflect actual business model, product suite, customer segments, or geographic exposure

• Customer portfolio data cannot be reconciled to risk assessment conclusions

• Risk scoring methodology is arbitrary, undocumented, or inconsistent with stated risk factors

Why it matters: BoL Decision 03-17 and PPTFPĮ require a tailored, documented, board-approved business-wide ML/TF risk assessment. This is the foundation of your entire risk-based approach. If weak, BoL assumes all downstream controls (CDD/EDD triggers, monitoring scenarios, resource allocation) are also fragile.

1. Inadequate CDD/EDD and Beneficial Ownership Identification

• Full identity verification at onboarding (ID document, address, liveness checks for remote onboarding)

• BO identification and verification according to PPTFPĪ thresholds using independent sources (JADIS for LT entities, foreign registries, third-party databases)

• Clear EDD triggers based on risk factors (PEP status, geography, ownership complexity, sector, transaction profile)

• Documented EDD measures:

  • Source of wealth and source of funds inquiries with supporting evidence

  • Enhanced ongoing monitoring (more frequent reviews, transaction scrutiny)

  • Senior management approval for relationship establishment

• Regular CDD/BO refreshes aligned with risk (annually for high-risk, every 2-3 years for standard)

  
  

2. Weak Ongoing Monitoring and STR Governance

• Customer risk scores set at onboarding but never updated based on actual behavior

• Periodic reviews skipped, delayed, or performed as superficial tick-boxes with no meaningful analysis

• Transaction monitoring systems:

  • Scenarios not tailored to business model and risk profile

  • Thresholds set too high, generating very few alerts

  • Poor alert investigation quality (no analysis of transaction rationale, counterparties, patterns)

  • No governance over scenario tuning (ad-hoc changes without validation or approval)

• Failure to understand nature and purpose of customer transactions and economic rationale

• STR volumes disproportionately low given portfolio risk profile

• STRs filed late or with insufficient supporting analysis

• No documented STR decision-making process or escalation governance

Practical Preparation Steps: What to Do When the Notice Arrives

• Week 0-1: Stabilize and Organize

✅ Appoint inspection lead, Lock document version control, and Identify gaps early (missing BWRA, incomplete BO data, no training logs, weak monitoring documentation, backlog), and prepare a transparent narrative.

• Week 1-3: Documentation Review and Data Preparation

✅ Critical AML framework review, BWRA validation, Independent customer file quality check, Data preparation, Transaction monitoring and sanctions review.

• Week 3-4: Management Preparation

✅ Prepare inspection narrative: Short management deck & Data-driven; Document everything; Technical review of findings; Remediation program design; Present findings, response, and remediation plan to the board.

Understanding Fine Risk: Revenue vs Enforcement

• Breach severity (minor vs systemic)

• Institution size (smaller EMIs face higher % burden)

• Cooperation and remediation (good faith efforts mitigate)

• Repeat offender status (past findings increase sanctions)

Examples:

• TransferGo Lithuania: ~1.4% of 2022 revenue (310k EUR fine / 21.98m EUR revenue)

• AB Mano bankas: ~2.1% of 2022 revenue (165k EUR fine / 7.71m EUR revenue)

• Paysera LT (after court reduction): ~1.5% of revenue (200k EUR final fine)

• Verse Payments Lithuania: ~8.3% of 2023 revenue (280k EUR fine / 3.36m EUR revenue) – systemic, serious breaches

• Monavate: ~2-5.5% depending on revenue baseline (270k EUR fine)

Implication: For medium to large institutions with serious but not existential AML issues, expect fines in the 1-3% of annual revenue range. Smaller institutions or those with systemic breaches can face 5-8%+ of revenue, plus licence restrictions or suspension risk.

When to Consider External Support

If your compliance function lacks BoL inspection experience, is under-resourced, or your business model is complex/high-risk, engaging an external AML compliance consultant or outsourcer provides Heavy Lifting while cross-checking independent file review to anticipate BoL findings, track, respond, and remediate.

Cost-benefit: External support costs are typically a small fraction of potential fines, business restrictions, and reputational damage. Well-managed inspections significantly reduce enforcement risk and demonstrate institutional commitment to compliance.

SOLUTION: Whether you build internal capacity or engage external specialists, the critical success factors are early preparation, organized governance, transparent disclosure, and credible remediation. BoL values institutions that demonstrate genuine control, honest engagement, and continuous improvement over those that attempt to paper over weaknesses.

Stay Compliant: Keep up to date with BoL guidance, Decision 03-17 updates, PPTFPĮ amendments, and supervisory expectations. If you're facing a Bank of Lithuania inspection or want to assess your readiness, CAML's team has extensive experience supporting financial institutions through BoL inspections, remediation programs, and ongoing AML compliance. Reach out to discuss your specific needs.

Read in other articles about - How to Prepare for FNTT inspection from CEO, CCO and COO perspectives.