EMI Licence Application in Lithuania: Process, Cost, Timeline (2026)

The Bank of Lithuania¹^[1] has authorised more electronic money institutions than any other EEA national competent authority in the last decade. The country built its EMI franchise deliberately, on a foundation of process predictability, English-language supervision, and SEPA passporting from a small jurisdiction with low operating cost. The application is well-documented and the diligence rhythm is repeatable.

The product has changed since 2022. The substance bar — local management, real office, decision-making in jurisdiction — has hardened materially under combined pressure from the ECB, EBA peer reviews, and a series of high-profile EMI failures elsewhere in the EEA. Lithuanian-domiciled EMIs that operated as shop-window arrangements with all real activity offshore are no longer being authorised, and several existing licences have been re-examined.

This guide covers the realistic 6–12 month application timeline, the capital requirements and methodology choice, the full document set, the substance expectations in 2026, an indicative cost breakdown, and the rejection patterns we see most often at Bank of Lithuania.

Three structural reasons. First, process predictability: the Bank of Lithuania has authorised over 100 EMIs and the diligence rhythm is the same on the hundredth file as it was on the tenth. Second, English-language supervision: the regulator engages and reviews documents in English, removing a meaningful translation cost and ambiguity layer faced in Germany or France. Third, SEPA passporting from a small jurisdiction with low CIT (15%, 5% for small companies under €300k revenue) and low operating cost.

The trade-off is the substance pivot since 2022. Cost-arbitrage applicants — founders running operations in London, Tel Aviv or Dubai while incorporating in Vilnius for the licence — are now refused. The Bank of Lithuania expects real local management, real office space, and a credible operational footprint in country.

Document file assembly, founder background dossiers, capital injection plan, office incorporation, key-persons recruitment. Most applicants underestimate this phase. Realistic effort: 8–12 weeks of full-time legal and compliance work to produce a submission-ready file. We strongly recommend a pre-application meeting with the Bank of Lithuania once the file is ~80% ready — the regulator's input materially de-risks the formal submission.

Submission of the full application pack against the EMD2²^[2] framework and the Bank of Lithuania's national-level guidance. The supervisor confirms completeness within 30 working days and issues an initial gap analysis. Expect two or three rounds of follow-up requesting clarifications, additional evidence, or rewritten policy sections.

Once the file is complete, the supervisor moves into substantive review: fit-and-proper interviews with directors, MLRO and key persons; deep review of AML/CTF programme; ICAAP review; ICT and DORA assessment; safeguarding methodology validation. Director interviews are in person in Vilnius by default; substance evidence is examined in this phase.

Authorisation grant with a list of conditions precedent — typically capital injection confirmation, key-persons hiring confirmation, IT system go-live evidence, safeguarding bank account confirmation, and an opening balance-sheet attestation. Conditions are usually cleared in 4–8 weeks. The licence is then operational.

Quarterly prudential returns, annual ICAAP refresh, AML programme reviews, supervisory dialogue with the Bank of Lithuania's payments division. Substance is re-tested at month 12 and month 24 via on-site visits.

EMD2 minimum own funds: €350,000 or 2% of average outstanding e-money — whichever is higher. The Bank of Lithuania's working floor in 2026 is closer to €500,000–€750,000 of paid-in equity at authorisation, because anything close to the floor leaves no buffer for year-1 operating losses and triggers questions about going-concern at the very moment the licence is most fragile.

Methodology choice: Method A (fixed-overhead-based) or Method D (e-money-volume-based) under EMD2 Article 5. Method A is simpler and predictable; Method D is preferred at scale because it tracks actual customer balances. Most applicants use Method A through year 1 and migrate to Method D once outstanding e-money is established.

Source of capital must trace to clean source of wealth at the natural-person level for any UBO above 25%. This is the most-failed dimension in 2026 — multi-layer holding structures or undisclosed institutional shareholders trigger immediate enhanced diligence.

Service description, target customer base, product roadmap year 1–3, geographies served, distribution model, agent structure, customer-journey mapping. The POO is the spine of the application — every other module references it.

Internal Capital Adequacy Assessment Process aligned to the EBA Single Rulebook — risk inventory, capital quantification methodology, 36-month projection, stress scenarios including a 30% volume shortfall and a 50% operating-cost overrun.

Board composition, senior management bios, MLRO and Compliance Officer CVs, organisational chart, three-lines-of-defence model, fit-and-proper questionnaires for each director and key person. Substance evidence: residency, time-spent-in-jurisdiction, employment contracts.

AML/CTF policy aligned to AMLR (Regulation 2024/1624)³^[3] — customer risk model, EDD triggers, sanctions screening, transaction monitoring rules, MLRO appointment, training plan. Generic templates fail in the first review.

Method (segregation, insurance, or guarantee — segregation is standard), candidate safeguarding bank, account-naming convention, daily reconciliation, attestation cadence, contingency plan in event of safeguarding-bank failure.

IT architecture, third-party processor list, API security, DORA⁴^[4] ICT-third-party risk register, RTO/RPO commitments, incident response runbook. Mandatory since 17 January 2025.

Business continuity plan, IT disaster recovery, vendor concentration, key-person risk, communication plan during outage. Tested annually; drill log expected at year-1 review.

36-month P&L, balance sheet, cash flow, capital adequacy projection, customer-volume forecast, revenue mix, OPEX detail. Internally consistent with the POO and the ICAAP — inconsistencies between modules are the single fastest route to a stage-1 finding.

Every material outsourcing arrangement: KYC vendor, fraud monitoring, card processor, BIN sponsor (where applicable), cloud infrastructure, payroll, audit. Each with criticality rating, exit plan, and DORA classification.

Inventoried risks (operational, financial, AML, conduct, ICT, reputational), inherent vs residual rating, key controls mapped to each risk, control-test cadence. The risk register evidences whether the firm thinks about risk systematically or only when asked.

This is what has changed most. Bank of Lithuania expectations on substance now include:

• CEO resident in Lithuania, full-time, with employment contract — not a part-time NED based abroad.

• MLRO resident in Lithuania, full-time, with documented crypto/payments experience.

• At least 5–10 FTEs in Vilnius at authorisation; doubling within year 1.

• Real office (signed lease, photos, on-site visit), not a serviced address.

• Board meetings physically in Lithuania, with minutes, at least quarterly.

• Material decisions taken in jurisdiction — not ratified locally after the fact.

The shop-window pattern — a Vilnius office with two compliance staff and all real activity in London, Tel Aviv or Dubai — is now refused at authorisation. Existing licences operating this way have been re-examined.

The single most common reason in 2026. Director addresses offshore, MLRO based abroad, founder visiting Vilnius once a quarter — all red-lined immediately. Pre-empt by hiring local CEO and MLRO before filing.

Multi-layer holding companies, professional shareholders, undisclosed institutional shareholders. Pre-empt by mapping UBO to natural-person source-of-wealth dossiers before submission.

Volumes in the POO that do not match the financial model. Customer count in the AML risk model that does not match the projection. These break in the first read because the supervisor cross-references modules.

Templated AML programmes that do not reflect the actual customer base, channel mix, or transaction-monitoring setup. Pre-empt by commissioning a bespoke AML build aligned to the AMLR rulebook.

€350,000 at the floor with thin year-1 revenue produces a going-concern question the supervisor cannot ignore. Capitalise above 1.5x the EMD2 floor at minimum.

6–12 months from formal submission to operational licence at well-prepared applicants. The 3-month lower bound that some advisers quote applies only to extremely simple, well-funded, substance-complete applications. Most files take 8–10 months.

€350,000 is the EMD2 floor; €500,000–€750,000 is the practical capital range at authorisation. Method A or D under EMD2 Article 5 determines ongoing capital — Method A typically applies through year 1.

In 2026, effectively yes. The substance bar requires CEO and MLRO resident in country, full-time, with employment contracts. Founders who try to run the licence remotely are refused.

No. Post-Brexit there is no passporting between the EEA and the UK. A separate UK authorisation (e.g. FCA EMI registration via the FCA) is required to serve UK customers.

Yes — and it's increasingly common. The dual-licence structure (EMI + CASP from the same entity in Lithuania) compresses substance investment and gives a clean perimeter for combined fiat + crypto operations. Plan it as a single authorisation programme, not two sequential ones.

• EMI vs PSP vs VASP vs CASP — choosing the right authorisation before targeting Lithuania.

• Bank Account for an EMI: 2026 Buyer's Playbook — the banking workstream that runs in parallel to authorisation.

• EMI Safeguarding Architecture — the safeguarding methodology section of the file, in detail.

• EEA vs UK vs Offshore — jurisdiction trade-offs that frame the Lithuania choice.

Lithuania is still the EEA's most-used EMI jurisdiction — but it is not the easy jurisdiction it was three years ago. The applicants that move cleanly through 2026 are the ones that build substance before they file, capitalise above the floor, and treat the document file as a coherent narrative across modules rather than ten parallel templates. The supervisor's diligence is the same as ever; the bar has simply gone up.