Lithuania Crypto Licence: VASP Registration and AML Requirements

Overview of Lithuania's Crypto Licensing Framework

Lithuania has been among the most prominent EU destinations for crypto licensing for several years, and has at various points held the distinction of having issued more VASP licences than almost any other EU member state. This volume of activity reflects both the country's accessible regulatory entry point historically and the strong institutional support that Lithuania's government has provided to the fintech sector, positioning Vilnius as one of Central and Eastern Europe's leading fintech hubs.

The regulator responsible for VASP licensing in Lithuania is the FNTT: Finansinių nusikaltimų tyrimo tarnyba, which translates as the Financial Crime Investigation Service. The FNTT operates under the Ministry of Interior and is the primary supervisory authority for AML compliance by virtual asset service providers. It issues and revokes VASP licences, conducts supervisory inspections, and receives suspicious transaction reports from obliged entities in the virtual currency sector.

The legal framework for virtual currency regulation in Lithuania is established under the Law on the Prevention of Money Laundering and Terrorist Financing (Pinigų plovimo ir teroristų finansavimo prevencijos įstatymas). This law was significantly amended in 2022 to raise the requirements for VASP authorisation and tighten the operational obligations of existing licensees, in response to concerns from FATF and EU bodies about the quality of supervision in high-volume licensing jurisdictions.

Lithuania's attractiveness as a licensing jurisdiction has historically rested on several factors: a supportive government fintech strategy, the availability of banking services for licensed crypto firms (which remains a challenge in many EU jurisdictions), a developed compliance services market with expertise in VASP licensing, and the additional option of applying for a more prestigious Electronic Money Institution (EMI) licence from the Bank of Lithuania, which provides EU passporting rights. The 2022 tightening of VASP requirements reduced the volume of new approvals but maintained the quality of the framework that makes Lithuania a credible EU licensing destination.

Activities Requiring a Licence

The Lithuanian AML Law defines the virtual currency activities that require FNTT licensing. Any entity wishing to conduct these activities from a Lithuanian entity must obtain a VASP licence before commencing operations. The requirement extends to Lithuanian-incorporated companies regardless of whether their clients are based in Lithuania or elsewhere in the EU.

The following activities require a Lithuanian VASP licence:

• Exchange of virtual currencies for fiat currencies: any service enabling customers to purchase or sell virtual assets in exchange for euros, US dollars, or any other traditional currency. This includes both peer-to-peer exchange services and centralised exchange platforms.
• Exchange of virtual currencies for other virtual currencies: crypto-to-crypto exchange, including automated market-maker services, token swap services, and any custodial exchange service where the operator holds customer assets during the exchange process.
• Operation of a virtual currency exchange: operating a trading venue or marketplace for virtual currencies where multiple buyers and sellers interact. This covers centralised exchanges and hybrid models.
• Provision of virtual currency wallets: any service that holds, stores, or manages virtual currency private keys on behalf of customers. This includes custodial wallet applications, multi-signature wallet services where the provider controls one or more keys, and custody platforms for institutional clients.
• Virtual currency transfer services: services that execute transfers of virtual currency on behalf of customers, including payment processing services that use blockchain infrastructure.

As with Poland and Estonia, purely non-custodial models are less clearly within scope, but firms whose services facilitate access to virtual currency markets even without holding assets directly should seek legal advice before concluding that the licence is not required. The FNTT has taken a broad interpretive approach to defining the scope of virtual currency activity.

Requirements After the 2022 Tightening

Prior to 2022, Lithuania's VASP licensing requirements were among the most accessible in the EU. The minimum capital requirement was €2,500, there was no physical office requirement, and the AML programme standards were less rigorously assessed than in jurisdictions with smaller licence volumes. The result was a very high volume of licence applications, many from firms with minimal genuine connection to Lithuania, and a correspondingly elevated risk of the Lithuanian regime being used as a conduit for financial crime.

The 2022 amendments significantly raised the bar. The key changes were:

• Minimum share capital increased from €2,500 to €125,000. This is the highest capital requirement among the three Baltic state crypto licensing jurisdictions and reflects the FNTT's intention to limit the regime to firms with genuine financial substance.
• Management residency requirement. The management of the licensed entity must include at least one Lithuanian-resident director or manager. This person must be genuinely engaged in managing the business and must have relevant competence. Nominee arrangements do not satisfy this requirement.
• Registered office in Lithuania. The company must have a genuine registered office in Lithuania, not merely a registered agent address. While the substance requirement is less explicitly articulated than in Estonia, the FNTT has made clear through its licensing practice that post-box registrations are not acceptable.
• AML compliance officer (MLRO) requirement. A qualified and designated MLRO must be appointed before the licence is granted and must be operationally responsible for the AML programme from day one.
• Fit and proper requirements for management and MLRO. All board members and the MLRO are subject to FNTT fit and proper review, including criminal background checks, professional competence assessment, and review of business reputation.
• Enhanced AML programme standards. The FNTT moved from a permissive review of AML programmes to active assessment of whether the programme is genuine and operational. Template programmes are rejected; the FNTT expects firm-specific procedures that reflect the actual risk profile of the business.

The volume of new VASP licences issued by the FNTT fell significantly following the 2022 amendments. This was an explicit policy outcome: the FNTT and the Lithuanian government wanted to reduce the overall number of licences and improve the average quality of the licensed population. Existing licences that did not meet the new requirements were subject to review and potential revocation, and a number of licences were in fact revoked during the transition period.

AML and KYC Operational Requirements

The AML and KYC obligations of Lithuanian VASP licensees are detailed and operationally demanding. They apply continuously from the date the licence is granted and are assessed by the FNTT through regular supervisory interactions and inspections. The following provides a breakdown of the core operational requirements.

Business-Wide AML Risk Assessment

Every licensed VASP must conduct and document a business-wide AML risk assessment. The assessment must identify the money laundering and terrorist financing risks inherent in the firm's products, services, client base, delivery channels, and geographic exposure. It must evaluate the effectiveness of controls in place to mitigate those risks and set out a programme for managing residual risk. The risk assessment must be reviewed annually and updated following any material change to the business or the regulatory environment.

Internal AML Procedures

The firm must maintain documented internal AML procedures covering: the risk-based approach to customer due diligence; CDD and EDD procedures; transaction monitoring methodology; suspicious transaction identification and reporting; record-keeping obligations; and staff training. These procedures must be firm-specific, reflecting the actual services and risk profile of the business. Generic templates that are not adapted to the firm's operations are a consistent basis for FNTT rejection of licence applications and a finding in supervisory inspections.

Customer Due Diligence

Standard CDD is required for all customers before the business relationship commences and is maintained on an ongoing basis. CDD includes: identity verification using reliable, independent sources; for legal entity customers, identification and verification of beneficial owners; understanding the purpose and nature of the business relationship; and ongoing monitoring for consistency with the firm's knowledge of the customer. The frequency and intensity of ongoing monitoring should be risk-based: higher-risk customers require more frequent review.

Enhanced due diligence (EDD) is mandatory for high-risk customers. Triggers for EDD under the Lithuanian AML Law include: PEPs and their close associates; customers from high-risk third countries designated by the European Commission or FATF; customers whose source of funds or wealth raises questions that standard CDD cannot resolve; and transactions that are unusual in size, complexity, or structure relative to the customer's known profile. EDD must involve additional verification steps, senior management approval, and enhanced ongoing monitoring. For a detailed operational breakdown of how KYC and AML operational controls function in a well-run crypto business, see our dedicated guide.

Designated MLRO

The designated MLRO is the individual responsible for the firm's AML programme. The MLRO must have relevant AML knowledge and experience, sufficient seniority within the firm to make decisions and escalate concerns effectively, and direct access to the management board. The MLRO is the primary point of contact with the FNTT and is responsible for the submission of suspicious transaction reports. The MLRO must be approved by the FNTT as part of the licence application process, and any change of MLRO must be notified to the FNTT promptly.

Transaction Monitoring

Ongoing transaction monitoring must be systematic and risk-based. The monitoring programme must cover all customer transactions and must be calibrated to detect patterns indicative of money laundering or terrorist financing: unusual transaction volumes; transactions to or from high-risk jurisdictions; structuring behaviour (multiple transactions designed to stay below reporting thresholds); rapid movement of funds through accounts; and transactions inconsistent with the customer's stated purpose or known profile. For firms with significant transaction volumes, automated monitoring tooling is a practical necessity. The monitoring rules and thresholds must be documented and must be reviewed regularly to ensure they remain appropriate.

Suspicious Transaction Reporting

Where a monitoring alert or other information gives rise to a suspicion of money laundering or terrorist financing, the MLRO must conduct a timely internal investigation. Where the suspicion is not resolved, an STR must be submitted to the FNTT. The obligation to report is not discretionary; failure to submit a required STR is a criminal offence. Tipping off the customer that an STR has been or may be submitted is also prohibited. All STR submissions and the investigations supporting them must be documented and retained.

Record Keeping

All CDD records, transaction records, and AML-related documentation must be retained for a minimum of eight years in Lithuania (longer than in most EU jurisdictions, which require five years). Records must be maintained in a format that is complete, unaltered, and accessible for FNTT inspection or law enforcement request. Record-keeping systems must be secured against unauthorised access, modification, or deletion.

Staff Training

AML training is required for all staff who are involved in customer relationships, transaction processing, or AML-relevant functions. Training must be documented, with records of attendance and assessment. New staff must complete training before taking up client-facing or transaction-processing responsibilities. The MLRO typically designs and delivers the training programme, with content that reflects the firm's specific risk environment and the current regulatory landscape. Training records are a consistent focus of FNTT inspections, and firms without complete training documentation face enforcement consequences.

Cybersecurity Requirements

Lithuania's cybersecurity expectations for VASP licensees draw from several sources. The FNTT does not publish a standalone cybersecurity framework equivalent to, for example, FCA guidance in the UK, but the security expectations implicit in its licensing assessment and supervisory inspections are material. Additionally, the Bank of Lithuania has published operational resilience guidelines for payment institutions and electronic money institutions that, while not directly applicable to FNTT-licensed VASPs, set the standards that the financial sector regulator in Lithuania expects from firms handling customer assets and data.

Custody Security

VASPs that hold virtual assets on behalf of clients must demonstrate that those assets are held securely. This means hardware security module (HSM) infrastructure or equivalent for private key management; segregation between hot and cold wallet infrastructure, with the majority of client assets in cold storage; multi-signature or multi-party computation (MPC) approval processes for movements from cold storage; and documented procedures for key recovery and business continuity in the event of infrastructure failure. The FNTT reviews custody arrangements as part of the licence application assessment, and custody security deficiencies are a basis for rejection or conditions on the licence.

Information Security Policies

Licensed VASPs are expected to maintain documented information security policies. These should cover: access control and identity management; data classification and protection; system hardening and vulnerability management; network security architecture; supplier and third-party security management; and physical security of key infrastructure. The policies must be reviewed regularly and must be genuinely operational, not simply filed as application documents.

Incident Response and Business Continuity

A documented incident response plan is required. The plan must define what constitutes a security incident, the escalation and decision-making path, notification obligations (including to the FNTT where a security incident has AML implications, and to the data protection authority under GDPR), containment and recovery steps, and post-incident review procedures. Business continuity planning must address the resilience of transaction processing, custody systems, and AML monitoring infrastructure. Under MiCA and DORA, these requirements will be significantly formalised. Our guide on DORA compliance covers what the Digital Operational Resilience Act requires from financial entities including licensed VASPs.

DORA and the Security Upgrade Path

The Digital Operational Resilience Act applies to financial entities, and VASPs authorised under MiCA are within scope. For Lithuanian VASP licensees planning the MiCA transition, DORA compliance is not a separate future concern; it is a component of the MiCA authorisation programme. Building the ICT risk management framework, ICT-related incident reporting procedures, digital operational resilience testing programme, and ICT third-party risk management framework required by DORA is part of the MiCA readiness work that Lithuanian firms should be undertaking now.

Security4Web3 provides the security programme building blocks that Lithuanian VASP applicants and existing licensees need: security architecture review, custody security design, penetration testing and vulnerability assessment, information security policy drafting, incident response planning, and DORA readiness assessment. The security programme is not ancillary to the compliance programme; it is the infrastructure on which a credible compliance programme operates.

Application Process

The VASP licence application in Lithuania is submitted to the FNTT. The application must be submitted in Lithuanian, and all supporting documents must be in Lithuanian or accompanied by certified translations into Lithuanian. The company must be registered in the Lithuanian Register of Legal Entities before the application can be submitted. There is no application fee charged by the FNTT, though the professional costs of preparing a complete application are significant.

Required Documentation

• Company registration documents: extract from the Register of Legal Entities confirming the company's registration, activities, share structure, and management.
• Articles of association and other constitutional documents of the company.
• AML programme: the complete, firm-specific internal AML procedures, including the business-wide risk assessment, CDD and EDD procedures, transaction monitoring methodology, STR procedures, record-keeping system description, and staff training plan.
• CVs and criminal record certificates for all board members, the MLRO, and key function holders. Criminal record certificates must be obtained from the relevant authorities in Lithuania and in each jurisdiction where the individual has resided for the past five years.
• Fit and proper declarations for all board members and the MLRO.
• Proof of share capital: bank statement, auditor confirmation, or other documentary evidence of paid-up capital of at least €125,000.
• Proof of registered office: lease agreement or ownership documentation for the Lithuanian premises.
• Description of IT infrastructure and security controls: an overview of the technical systems supporting the business, including custody arrangements, transaction monitoring tooling, and security measures.
• Business plan: a description of the proposed services, target markets, transaction volume projections, and financial sustainability of the operation.

Processing Timeline

The FNTT typically takes between one and three months to process a complete VASP licence application. This is broadly comparable to Estonia's 60 to 90 day timeline and faster than some other EU licensing regimes. The timeline is heavily dependent on the quality of the application: complete applications with well-drafted, firm-specific AML programmes are processed more quickly than incomplete applications or those where the FNTT has questions about the substance of the compliance programme. FNTT may request additional information during the review period, which pauses the clock until a response is received.

Ongoing Compliance Obligations

The FNTT's oversight of licensed VASPs is continuous. Obtaining the licence is the commencement of a compliance relationship with the regulator, not the conclusion of a one-time process. The following ongoing obligations apply to all Lithuanian VASP licensees.

Annual Self-Assessment

Licensed VASPs must conduct and submit an annual AML compliance self-assessment to the FNTT. This assessment covers the firm's AML risk profile, the operation of its AML programme during the year, the volume and nature of STRs submitted, any material incidents or compliance failures, and changes to the business or services. The self-assessment is a key input for the FNTT's risk-based supervisory planning and forms the basis for identifying firms that require inspection.

Notification of Changes

Material changes to the licensed entity must be notified to the FNTT promptly. This includes: changes to the management board; changes to the MLRO; changes to the beneficial ownership structure; significant changes to the services offered; changes to the registered office; and changes to the IT infrastructure that affect the AML programme or custody arrangements. Failure to notify material changes is a compliance violation and can result in enforcement action or licence conditions.

FNTT Inspection Rights

The FNTT has broad supervisory inspection rights and exercises them. Inspections may be routine (scheduled on the basis of the annual self-assessment and the FNTT's risk model) or targeted (triggered by specific concerns, such as low STR submission rates relative to transaction volumes, or information received from other authorities). During inspections, the FNTT reviews CDD files, transaction monitoring records, STR submissions and supporting investigations, training records, and IT security arrangements. Firms must cooperate fully and must have their records in a readily accessible format.

Licence Revocation

The FNTT has used its revocation powers and continues to do so. Common grounds for revocation in Lithuania include: failure to maintain the minimum capital level; failure to maintain genuine Lithuanian substance; AML programme deficiencies identified during inspection; low or absent STR submission rates; failure to submit required annual self-assessments; and evidence that the licensed entity is being used to facilitate financial crime. The FNTT's track record on revocation is well-established, and firms should not treat the licence as perpetual once obtained.

The Bank of Lithuania EMI Route

For firms seeking a higher level of regulatory credibility and EU passporting rights beyond the FNTT VASP licence, the Bank of Lithuania (Lietuvos bankas) offers a route to an Electronic Money Institution (EMI) licence. The EMI licence is a separately authorised product under the Payment Services Directive (PSD2) and the Electronic Money Directive (EMD2), administered by the Bank of Lithuania rather than the FNTT.

The Bank of Lithuania has developed a strong reputation among fintech firms as a regulator that engages constructively with new business models while maintaining high standards. It operates a fintech enabler team that assists applicants in understanding the requirements and navigating the application process. This constructive engagement, combined with the EU passport that the EMI licence provides, makes the Bank of Lithuania route attractive for crypto firms with significant scale ambitions.

The EMI licence is more demanding than the FNTT VASP licence in several respects. Capital requirements are higher, reflecting the greater complexity of authorised activities. Governance and organisational requirements are more extensive. The Bank of Lithuania conducts a more thorough assessment of the firm's IT security, operational resilience, and business continuity arrangements. And the EMI licence carries ongoing supervision by the Bank of Lithuania with a higher intensity than FNTT supervision of VASP licensees.

A common path taken by crypto firms in Lithuania is to obtain the FNTT VASP licence first, build the operational track record and compliance infrastructure required by the Bank of Lithuania, and then apply for the EMI licence as a second step. This staged approach allows firms to commence operations earlier while building towards the higher-credibility authorisation. It is important to note, however, that the FNTT VASP licence and the Bank of Lithuania EMI licence are authorisations for different activities; the EMI licence does not replace the VASP licence for virtual currency-specific activities unless the firm restructures its services accordingly.

MiCA Transition for Lithuanian VASPs

MiCA applies directly in Lithuania as an EU regulation, without the need for national implementing legislation. The competent authority for MiCA CASP authorisation in Lithuania is the Bank of Lithuania (Lietuvos bankas), which takes over the supervisory responsibility for licensed crypto-asset service providers from the FNTT under the MiCA framework. This represents a significant shift in the institutional landscape: the FNTT's role will diminish as firms transition from national VASP licences to MiCA CASP authorisations, and the Bank of Lithuania becomes the primary regulator for the sector.

FNTT-licensed VASPs benefit from a transitional period during which they may continue operating under their national licences while applying for MiCA CASP authorisation. The length and conditions of the transitional period are defined in the applicable MiCA transitional provisions and in any national implementing measures. Firms should not assume that the transitional period provides indefinite protection; it is a finite window, and firms that have not submitted a MiCA application by the relevant deadline will lose the right to continue operating under the national licence.

MiCA's requirements for CASPs are substantially more demanding than the FNTT VASP framework in several areas. Organisational requirements under MiCA include governance arrangements, remuneration policies, conflicts of interest management, and senior management fitness standards that go well beyond the FNTT's assessment. Capital requirements under MiCA vary by the type and scale of services, with higher requirements for CASPs that hold client assets or operate trading venues. Client asset protection rules under MiCA are prescriptive, requiring segregation, custody standards, and reconciliation procedures. Cybersecurity and operational resilience requirements under MiCA are aligned with DORA, requiring a formalised ICT risk management framework. For a comprehensive breakdown of what MiCA requires from a licensed CASP, see our detailed guide on MiCA compliance requirements.

Firms that are applying for the Lithuanian VASP licence now should treat the national licence as a staging point and should build their compliance and security programmes to MiCA standards from the outset. The cost of building to a higher standard initially is consistently lower than the cost of a programme overhaul at the MiCA transition point. And firms that arrive at the MiCA application with a well-documented, genuinely operational compliance programme are in a substantially stronger position relative to firms that have maintained only the minimum necessary to hold the national licence.

Comparison with Estonia and Poland

Lithuania, Estonia, and Poland are the three most actively considered EU jurisdictions for VASP licensing, and each presents a distinct risk/cost/effort profile. The right choice depends on the firm's specific circumstances, including its capital position, team location, target markets, and strategic timeline.

Capital Requirements

Lithuania requires €125,000, the highest among the three. Estonia requires €100,000. Poland has no statutory minimum. For capital-constrained firms, Poland is the most accessible. For firms with capital available, the Lithuanian requirement is manageable but represents a meaningful commitment. The higher capital requirements in Lithuania and Estonia also reflect the higher credibility those licences carry in the market.

Substance Requirements

All three jurisdictions now require some form of local substance. Lithuania requires a registered office and a Lithuanian-resident manager. Estonia requires a physical office and a resident board member, with the most explicit articulation of the substance requirement. Poland requires a registered company and address but is less prescriptive on physical presence. Lithuania sits between Estonia's strict substance requirement and Poland's more flexible approach.

Processing Timeline

Lithuania typically takes 1 to 3 months. Estonia takes 60 to 90 days. Poland takes 2 to 4 weeks. For firms that prioritise speed to market, Poland offers the most immediate path. For firms where the credibility of the licensing jurisdiction is a priority for institutional counterparties, the longer timelines in Estonia and Lithuania may be acceptable.

Regulatory Ecosystem

Lithuania's combination of the FNTT VASP licence and the Bank of Lithuania EMI licence provides a two-stage path from initial market entry to a full-service, passportable EU authorisation. Estonia lacks an equivalent second-step option within its VASP framework (the MiCA transition to Finantsinspektsioon serves a similar purpose but is a different regulatory instrument). Poland's path to MiCA is through the KNF. For firms with significant EU ambitions, Lithuania's Bank of Lithuania EMI route and its constructive engagement record may represent a strategic advantage over the other two jurisdictions.

For detailed information on Estonia's specific requirements, see our guide on the Estonia crypto licence requirements. For Poland's framework, see our guide on the Poland crypto licence.

The Operational Security Angle

Lithuania's FNTT has developed a reputation for revocation enforcement that is more active than many other EU supervisory authorities. The FNTT's enforcement record makes clear that it distinguishes between firms that filed an AML programme with their licence application and firms that operate one. The distinction has material consequences: firms in the first category face revocation; firms in the second category retain their licences and build the supervisory relationship that supports future regulatory engagement.

The operational security of the firm is the foundation on which a genuine AML programme stands. This connection is direct and concrete: a transaction monitoring system that is not properly integrated with the firm's trading and custody infrastructure does not monitor transactions; it monitors a subset of them. CDD records that are stored in unsecured systems are records that can be altered, deleted, or accessed by unauthorised persons; they are not reliable records for supervisory purposes. Training records that exist only as entries in a spreadsheet, without audit trails confirming that training actually took place, are not evidence of a training programme; they are a document that says a training programme exists.

The FNTT's inspections probe precisely these gaps. Inspectors review whether the transaction monitoring system is running and whether its alerts are being investigated. They review whether CDD files are complete and current. They request training records and assess whether the staff responsible for AML functions can demonstrate the knowledge that training is supposed to provide. Firms whose operational infrastructure is not secure, complete, and genuinely functioning fail these tests.

Security4Web3's engagement with Lithuanian VASP applicants and licensees addresses the operational security dimension of compliance as a core component of the engagement, not an optional add-on. This includes: security architecture review of the systems supporting the AML programme; assessment of custody security arrangements against current best practice; penetration testing of client-facing and internal systems; review of data integrity controls for CDD and transaction records; incident response plan development; and DORA readiness assessment for firms approaching the MiCA transition. Firms that have built a genuine operational security programme are firms that pass FNTT inspections and retain their licences through supervisory cycles. Firms that have filed security policies without building security programmes are firms that lose licences when the inspections come.

Frequently Asked Questions

What is the Lithuania crypto licence?

The Lithuania crypto licence is a Virtual Asset Service Provider (VASP) authorisation issued by the FNTT (Financial Crime Investigation Service) under the Law on the Prevention of Money Laundering and Terrorist Financing. It authorises a Lithuanian-registered company to provide virtual currency exchange, wallet, transfer, and exchange platform services. Following the 2022 tightening of requirements, the licence demands genuine Lithuanian substance, significant capital, a fit and proper management team, and a genuinely operational AML programme.

What is the minimum capital for a Lithuania VASP licence?

Following the 2022 amendments, the minimum share capital for a Lithuanian VASP licence is €125,000. This is the highest capital requirement among the three Baltic state crypto licensing jurisdictions, and represents a significant increase from the previous threshold of €2,500. The capital must be paid up at the time of application and must be verifiable through documentary evidence submitted with the application.

Do I need a Lithuanian office for the FNTT licence?

Yes. The Lithuanian VASP licensing requirements include a genuine registered office in Lithuania, and the management of the entity must include at least one Lithuanian-resident director or manager. A post-box address or registered agent arrangement without genuine operational presence does not satisfy the substance requirements. The FNTT has the authority to assess the genuineness of an applicant's Lithuanian substance and has rejected applications where substance requirements were not met.

How does MiCA affect Lithuanian crypto licences?

MiCA introduces a harmonised EU CASP authorisation that supplements and will replace national VASP registrations over a transitional period. The competent authority for MiCA CASP authorisation in Lithuania is the Bank of Lithuania (Lietuvos bankas). FNTT VASP licensees benefit from a transitional period during which they may continue operating while applying for MiCA authorisation, but the FNTT licence does not automatically convert to a MiCA authorisation. MiCA requirements include more extensive governance, capital adequacy, client asset protection, and DORA-aligned cybersecurity standards than the current FNTT framework.

What is the difference between the FNTT licence and the Bank of Lithuania EMI licence?

The FNTT VASP licence authorises virtual currency exchange, wallet, transfer, and exchange platform services under the AML law framework. It is supervised by the FNTT and does not in itself provide EU passporting rights. The Bank of Lithuania EMI (Electronic Money Institution) licence authorises the issuance of electronic money and the provision of payment services under PSD2 and EMD2, and includes EU passporting rights allowing the holder to operate across all EU member states. The EMI application is assessed by the Bank of Lithuania, which has a reputation for constructive engagement with crypto and fintech firms. The two licences are for different activities; some firms hold both. A common strategy is to obtain the FNTT VASP licence first, build operational track record, and then apply for the Bank of Lithuania EMI licence as a second step towards a full-service EU authorisation.