AML Insights - Lithuania

Introduction

As Lithuania engages with the evolving EU Anti-Money Laundering (AML) regulatory architecture, a recent workshop in Vilnius, co-hosted by Lithuania’s Center of Excellence in Anti-Money Laundering (AML Center) and the Centre for Finance and Security at RUSI, provided a forum for diverse financial and regulatory stakeholders to reflect on national readiness, implementation challenges and regulatory clarity. Discussions centred on institutional coordination, regulatory feedback mechanisms, supervisory expectations, sector-specific implications and the anticipated role of the Anti-Money Laundering Authority (AMLA).

In summary, the workshop sought to build understanding of how a major new AML framework (described below), designed in Brussels in light of significant AML policy failings in the traditional banking sector – most notably in the Nordic-Baltic region a decade ago – is viewed in a diverse financial community such as Lithuania, and the extent of the understanding and implementation gap that exists between Brussels and EU member states.

Background

The discussion took place against the backdrop of the ongoing cross-European efforts to implement the legislative package adopted by the European Commission in May 2024 (the EU AML Package). This comprehensive framework comprises several key pillars:

• The AML Regulation (AMLR), which introduces a single rulebook for AML/CFT (countering the financing of terrorism), establishing uniform rules that are directly applicable across all member states.

• The Sixth Anti-Money Laundering Directive (AMLD6), which addresses the structural aspects of AML supervision and enforcement.

• Regulation (EU) 2024/1620, which established the AMLA, mandated with direct supervisory and coordination responsibilities.

• The transfer of funds regulation (TFR), which extends the so-called “travel rule” to all financial transactions, irrespective of the amount. Under the revised TFR, the travel rule is now applicable to not only traditional financial institutions but also crypto-asset service providers (CASPs).

One of the most notable changes observed by workshop attendees is the expanded scope of obliged entities. New sectors such as crowdfunding platforms, investment migration operators, mortgage credit intermediaries, non-financial holding companies and football clubs/agents will fall under the regulation. This broadening of scope will have limited relevance in Lithuania, but it will affect Lithuania’s vibrant fintech community, nonetheless.

The country hosts an innovative and expanding fintech ecosystem, facilitated by a streamlined licensing process that has attracted over 260 fintech firms, positioning Vilnius as a regional fintech hub. Key financial players in the country include both domestic and international banks such as SEB, Swedbank and Luminor, as well as a growing number of electronic money institutions (EMIs).

Against this backdrop, workshop participants characterised private sector engagement on the EU AML Package as an area of mixed progress. Some participants noted proactive steps by larger institutions to familiarise themselves with the EU AML Package – particularly the more detailed technical standards – and conduct gap analyses. However, others (particularly smaller entities) reported uncertainty regarding how and when their input is expected, raising concerns about uneven representation in shaping the implementation process.

The workshop discussion focused on a number of key issues facing the financial sector as it confronts the reality of the EU AML Package.

1. Institutional Collaboration and Feedback to the European Banking Authority (EBA)

Representatives from the Bank of Lithuania (BoL) noted their close and continuous engagement with the EBA, highlighting participation in relevant EBA committees alongside the Ministry of Finance. The EBA is an EU regulatory agency that works to ensure effective and consistent supervision of the banking sector across all member states. As a part of its mandate, it has been proactive in supporting the rollout of the EU AML Package across the bloc in relation to financial institutions. However, one participant noted that the supervision of and collaboration with non-financial institutions that are heavily impacted by the package is beyond the EBA’s mandate.

According to BoL representatives, the Bank’s engagement involved multiple interactions with the EBA regarding the EU AML Package, particularly as it relates to the development and dissemination of Regulatory Technical Standards (RTS). With four key RTS documents now published for comment by the EBA, the BoL has proactively communicated with the Lithuanian market to solicit feedback, with special attention to customer due diligence (CDD). Authorities present at the workshop stressed the importance of market-level feedback to the EBA, noting that input from private sector actors complements the supervisory perspective and can shape regulatory adaptation.

The importance of collective, market-driven feedback was also stressed by the representative of the National Development Bank of Lithuania. The BoL had requested feedback from the National Development Bank, particularly to provide commentary on the AMLD6. In response, the National Development Bank engaged with industry associations to collect inputs from across the board – in the hope that collective responses offer greater leverage, while unilateral action may reduce the ability to influence.

2. Sectoral Readiness and Technical Adaptation

Workshop participants expressed strong and divergent views on their ability to prepare for the reality of the EU AML Package. A representative of one of the biggest banks in Lithuania reported a recent assessment of the technical developments required to meet the demands of the new package. This assessment included multiple workshops and detailed workstreams, highlighting the considerable burden the industry will face. From a Baltic perspective, several significant gaps were identified by the representative which will need to be closed in order to comply with the demands of the EU AML Package. While the changes are not viewed as transformative, they will demand extensive system and procedural adjustments. Compliance and monitoring functions will face an increased workload.

The expansion of regulated entities under the new rules was also raised by workshop participants. A broader array of clients will now qualify as obligated entities, imposing additional compliance responsibilities on the banks, too. Institutions are actively analysing scenarios to prepare pre-emptively. During the workshop, it was noted that over 60 new legislative instruments are under development. While not all are directly relevant to market actors, many pertain to AML oversight. Participants said that while some instruments arise from EU-level harmonisation efforts, others are linked to initiatives by the AMLA or the EBA.

Representatives from fintech associations and legal consultancies strongly emphasised that, for smaller entities, the primary challenge does not lie with the Level 1 legislation of the EU AML Package – that is, the core legal instruments such as regulations and directives adopted by the European Parliament and the Council. These foundational texts establish the general principles and objectives of the AML framework and have largely been understood and incorporated by the market. The greater concern arises from the Level 2 legislation, which consists of more technical and detailed rules – particularly RTS and Implementing Technical Standards – adopted by the European Commission based on proposals from supervisory authorities. These secondary measures are intended to operationalise and provide guidance on how to comply with the Level 1 framework. However, representatives of the fintech sector stakeholders noted that these provisions often extend or clarify obligations in a way that adds complexity, especially in critical compliance areas such as CDD and transaction reporting.

There was a growing concern among participants that Level 2 technical implementation measures, by becoming overly prescriptive, will undermine the risk-based approach – a core principle of EU AML policy – by imposing uniform obligations that may not adequately account for the size, risk profile or capacity of smaller market participants.

For example, one representative of the fintech sector noted that while the AMLR seeks to establish a harmonised regulatory environment, its real-world impact may diverge significantly from this objective – particularly for digitally-native financial service providers operating across borders.

The representative underlined, for instance, that article 22(6) of the regulation, which restricts remote customer identification to methods that satisfy the electronic identification and trust services regulation’s assurance levels of “substantial” or “high”, effectively precludes the use of biometric technologies such as facial recognition. The problem, as noted by the representative, is that these are currently deployed by many fintech firms – not only in Lithuania – to ensure secure and efficient cross-border onboarding. Traditional banks, which typically operate within national boundaries, don’t face this challenge and therefore may encounter fewer operational disruptions when aligning to the new legislation.

The speaker emphasised that this regulatory constraint presents a significant structural challenge. They said:

What everyone should start thinking about now is: “What tools could possibly comply with those requirements? Are there even such tools in the market that meet this criterion and can verify all EU citizens? And how much will ID verification services cost under this regulation?”.

In short, there was a strong view around the table that the EU AML Package was designed with big banks in mind. Describing the package as being rooted in the failings of big banks a decade ago, participants argued that it had overlooked the needs and implementation challenges of the fintech community – one of the key pillars of the Lithuanian financial services industry and overall economy.

3. Risk-Based vs. Rule-Based Approaches and Innovation Constraints

Participants expressed concern that the EU AML Package represents a shift away from a risk-based approach towards a more rules-based regime which may stifle innovation, particularly in remote onboarding processes. They noted that the Level 1 regulation encourages a risk-based approach, but Level 2 provisions appear to go further by prescribing detailed operational procedures, thereby restricting flexibility. For example, new requirements to collect place of birth – including the city rather than only the country – raise practical challenges. Whether or not the collection of birth certificates is required for this is still uncertain.

The regulatory burden is anticipated by participants to disproportionately affect the fintech sector and smaller institutions. Larger banks have had time to adapt, whereas newer market entrants often lack resources to effectively participate in consultations or anticipate regulatory shifts. Some warned that the cumulative effect may create a reinforcing loop, whereby only large institutions are adequately represented, skewing regulatory outcomes in their favour.

To respond to this threat, Lithuanian fintech stakeholders are actively contributing to the consultation process led by the EBA. However, these financial stakeholders noted a lack of fintech industry representation at the EU level. A representative of the fintech sector stressed the importance of ensuring that fintech-specific operational realities are reflected in the final regulatory instruments. “The question remains whether a uniform, rules-based approach can adequately accommodate the diversity of financial service models across the EU”, the speaker concluded.

4. Supervisory Coordination and Beneficial Ownership

Participants elaborated on the AMLR’s requirement for firms to verify beneficial ownership (BO) information when an individual holds more than 25% ownership or exercises control exceeding 50%, and to report any discrepancies within 14 days. EU member states must also revise their laws in line with the 2022 Court of Justice of the EU ruling, which found that unrestricted public access to BO registers breaches privacy rights under the EU Charter. The Court held that only those with a “legitimate interest” — such as journalists, civil society groups, and certain financial institutions — may access BO data. Member states must therefore clearly define this interest and ensure access is granted with proper safeguards. Together, these requirements significantly shape the regulatory landscape. Participants representing financial institutions pointed out that the inconsistent application of those rules across the EU harms cross-border information sharing. For example, participants reported difficulties retrieving information from registers in Scandinavian countries, citing national differences in access protocols. There was consensus among participants that such disparities necessitate harmonisation, although the implementation of AMLD6 at the national level may limit the effectiveness of EU-wide alignment.

BO registers in Lithuania have access restricted to public institutions, law enforcement, obliged entities and journalists. The new rules on BO introduced in the EU AML Package prompted the BoL to conduct a gap analysis. Assessing deficiencies in the functioning of BO registries to improve their utility and relevance is regarded globally as a cornerstone of effective AML efforts, so the proactive approach taken by the BoL speaks to Lithuanian commitment to strengthening the integrity of its financial system.

Supervisory coordination in Lithuania is currently ad hoc, according to financial stakeholders present at the workshop. The Lithuanian Financial Intelligence Unit (FIU) leads AML coordination in the country and represents Lithuania at MONEYVAL (Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism), but there is a recognised need for a more institutionalised approach. A proposal has been submitted to the government to formalise cooperation of all Lithuanian supervisors. Financial stakeholders also suggested establishing a dedicated coordination group, beyond existing ad hoc forums.

5. Crypto, Gambling and Emerging Sectors

Representatives from the cryptocurrency sector highlighted their complex regulatory positioning within the evolving EU framework. While some may not fall under the definition of CASPs as defined in the Markets in Crypto-Assets Regulation (MiCA) – if, for example, they do not provide specific services such as custody, trading platforms or exchange services – they may still be subject to AML obligations under the EU AML Package. This is because the new AML obligations apply to a broader range of entities involved in the exchange, transfer, safekeeping or issuance of crypto-assets.

Sector representatives noted that many of these entities based in Lithuania, especially those facilitating merchant payments through crypto-wallets, may operate outside traditional financial service classifications. However, they often still require registration or licensing according to national legislation, even if they are not fully captured under MiCA’s scope.

One participant noted that Lithuania is not expanding its licensing framework; rather, it is narrowing the criteria for obtaining licenses. For example, the BoL continues to discourage entities from combining cryptocurrency and payment services under a single licence. According to the same participant, representatives from crypto-native companies operating in a manner similar to payment service providers believe that they do not fully fall under the current regulatory regime. This reflects an ongoing, informal debate in Lithuania regarding the range of permissible services and corresponding obligations. The BoL was described by participants as a particularly strict regulator.

Another participant, representing a Lithuanian gambling supervision authority, highlighted ongoing efforts to educate regulated markets. New EU legislation will impose significant changes in how they operate. For example, a representative of this sector noted that, know your customer processes, particularly around data collection such as place of birth, pose operational difficulties. The sector is also examining best practices internationally, particularly in Latvia and Estonia.

6. AMLA Supervision and Future Prospects

According to participants, the newly established AMLA, created under Regulation (EU) 2024/1620, represents a cornerstone of the EU’s updated AML framework. AMLA will serve as the central supervisory body tasked with ensuring consistent implementation of AML/CFT rules across member states. It is empowered to directly supervise selected obliged entities, coordinate cross-border enforcement efforts, and intervene where national supervision is insufficient, thereby aiming to reduce fragmentation and reinforce the credibility of the EU’s AML regime.

Participants in the Vilnius workshop noted that Lithuania will have a direct presence within AMLA’s leadership, with Simonas Krepšta, until recently a board member of the BoL, joining the authority’s executive board. Krepšta has overseen financial market supervision and digital development and has been instrumental in promoting Lithuania’s fintech ecosystem. His expertise in digital finance and supervisory oversight is expected by participants to contribute significantly to AMLA’s mandate, particularly in fostering innovation-compatible compliance strategies.

Stakeholders reflected on the dual implications of AMLA supervision. While the aim of harmonisation is broadly supported, questions remain about how dual supervision by AMLA and national regulators will function. Stakeholders anticipate that at least one Lithuanian bank may fall under AMLA’s direct supervision. Questions persist regarding the interplay with MONEYVAL assessments and the supervisory burden.

A representative of the BoL noted that initial expectations of reduced supervisory intensity under AMLA have shifted, with increased resource deployment now anticipated. While the goal of greater consistency is welcome, it was observed that practical differences between member states remain stark.

7. Information Sharing and Technological Solutions

During the workshop, some participants argued that regulation should be outcome-focused and technology-agnostic. The extent to which the EU AML Package will encourage IT adoption remains uncertain, but article 75 of the AMLR incentivises the development of such tools. It calls on member states to promote the development and use of secure, privacy-compliant digital tools supporting information sharing, typology development and automated suspicious transaction detection. While AMLD6 sets out this ambition, effective implementation will depend on national legislative frameworks and institutional readiness to operationalise these tools. In this context, the participants noted that the gap between national legislative frameworks and EU mandates remains a challenge.

Since summer 2024, Lithuania has had a legal basis for private-to-private information sharing. The country has initiated a process aimed at enhancing the ability of financial institutions to share information regarding suspicious financial activities. At the beginning of April 2024, the Lithuanian Parliament approved amendments to Lithuania’s money laundering and terrorist financing prevention law. Article 15 (1) of the revised legislation stipulates that financial institutions are permitted to exchange information concerning their clients. Participants stated that the introduction of this framework marks a significant step in strengthening the country’s AML efforts, promoting greater collaboration among financial institutions, and aligning with EU-wide initiatives, including the EU AML Package. The AML Center is developing IT solutions to enable this exchange, though the complexity and the number of stakeholders involved makes implementation challenging. A representative of the AML Center, which supports the development of a strong public-private partnership in the country, explained that the system includes two core components: first, entities may request information when there is a suspicion; and second, a pre-defined criteria list from the FIU guides suspicion thresholds. All data exchanges are to be encrypted, in line with data protection regulations. The platform facilitating private-to-private data exchange is currently under development, with an estimated launch timeline of up to three years.

Conclusion

The Vilnius workshop revealed a high degree of engagement from Lithuanian authorities and financial institutions with the EU AML Package, while also highlighting areas of concern and ambiguity. The implementation of secondary legislation, the evolving role of AMLA, and the tension between harmonisation and national flexibility are critical issues for Lithuania. The workshop indicated that ensuring the inclusion of smaller actors, preserving innovation and enhancing cross-border cooperation on BO will be essential to the success of the EU AML framework in Lithuania and across the EU. There was a clear sense that the EU AML Package is, while well-intentioned, (as one participant put it) “the right idea at the wrong time” and out of step with the “deregulation zeitgeist”, and risks stifling innovation at a time when Europe should be seeking ways of accelerating, not restricting, development.

Kinga Redlowska is the Head of the Centre for Finance and Security (CFS) at RUSI Europe, where she leads research and policy engagement on illicit finance, sanctions and economic security. She leads the CFS’s activities in Brussels that centre around the intersection of illicit finance and security, and are focused on the EU and its neighbourhood. The list of flagship projects implemented through the CFS Brussels office includes Euro SIFMANet (European Sanctions and Illicit Finance Monitoring and Analysis Network) and Project SMURF (Supervising and Monitoring Ukraine’s Reconstruction Funds).