AML/KYC obligations for crypto businesses in Lithuania
Lithuania remains one of the most attractive hubs for crypto companies in the EU, yet regulatory requirements here are becoming increasingly stringent, especially in the area of AML/KYC. Following several legislative updates, the implementation of the Travel Rule, and preparations for the transition to MiCA, crypto businesses are facing heightened scrutiny from the FIU and the Bank of Lithuania. A mistake in risk assessment, a weak KYC process, or a purely formal approach to transaction monitoring can now lead to service refusals, payment blocks, or termination of relationships with EMI providers. Many companies underestimate the depth of the requirements until they receive a request to revise their AML framework or a notice of service discontinuation. In this article, we examine the AML/KYC obligations applicable to crypto companies in Lithuania, common mistakes that trigger regulatory risks, and strategies for preparing for assessments by both regulators and financial institutions.
Regulatory environment for crypto-business in Lithuania
Lithuania remains one of the most clearly regulated EU jurisdictions for crypto companies, thanks to a combination of national legislation and European directives. The primary goal of regulators is to ensure transparency, reduce financial crime risks, and establish predictable rules for all market participants.
Role of the FCIS (Financial Crime Investigation Service)
The Financial Crime Investigation Service (FNTT/FCIS) acts as Lithuania’s FIU and AML/CFT supervisor for obliged entities (including crypto-asset service providers), receiving and analysing STRs and other AML reports. The Bank of Lithuania is the competent authority for MiCA authorisation and ongoing prudential/market conduct supervision of CASPs.
The FCIS is responsible for:
- Supervising compliance with the Law on the Prevention of Money Laundering and Terrorist Financing;
- Analysing suspicious transactions and STR/SAR reports;
- Conducting inspections of crypto companies, including both scheduled and unscheduled audits;
- Issuing guidance and clarifications on the application of AML rules.
The regulator regularly publishes reports and updates on sectors considered high-risk. Crypto-assets consistently appear on the list of industries requiring enhanced monitoring.
Requirements of the Law on the Prevention of Money Laundering and Terrorist Financing
The main regulatory framework is the Law on the Prevention of Money Laundering and Terrorist Financing, incorporating the provisions of AMLD5 and AMLD6.
For crypto businesses, the law establishes:
- Mandatory customer identification (KYC);
- Requirements for collecting and verifying beneficial ownership data;
- The creation of a risk-based approach covering clients, transactions and geographic exposure;
- The obligation to appoint a designated AML officer;
- Mandatory reporting to the FCIS.
Recent updates and reforms
Lithuania is actively aligning its national rules with European initiatives, including:
- Implementation of elements of the EU Anti-Money Laundering Package, which introduces the unified supervisory regime under AMLA (the European Anti-Money Laundering Authority);
- Updates for CASPs in preparation for the full implementation of MiCA (Markets in Crypto-Assets Regulation);
- Expanded requirements for customer data collection and the use of EDD for high-risk jurisdictions.
It is also worth noting that Lithuania tightened its requirements for virtual asset service providers following several cases of market abuse. In 2023–2024, the FCIS conducted a series of CASP inspections, resulting in additional expectations for internal policies and procedural documentation.
Which companies in Lithuania are required to comply with AML/KYC?
AML/KYC obligations apply to all crypto services that fall under the definition of virtual asset service providers. The Lithuanian regulator applies a broad interpretation of CASPs, which means that most business models involving crypto-assets fall under the oversight of the FCIS.
Crypto Asset Service Providers: who falls under regulation
Under the Law on the Prevention of Money Laundering and Terrorist Financing, CASPs are required to comply with the full spectrum of AML/KYC requirements. The law applies to companies that:
- Exchange virtual assets for fiat currency and vice versa;
- Exchange one virtual asset for another;
- Provide custody or management services for crypto-assets;
- Administer crypto wallets or infrastructure enabling wallet operations;
- Provide services related to the transfer, distribution or distributed storage of virtual assets.
The regulator emphasizes that classification depends not on the legal form of the company but on the nature of its actual activities. Even technology companies that do not directly offer crypto operations may fall under regulation if their services facilitate the movement or storage of crypto-assets.
Additional obligations for CASPs engaged in exchange or custody services
In line with EU requirements and preparations for MiCA implementation, crypto businesses that provide services related to the transfer or custody of digital assets are subject to an expanded set of obligations. These include CASPs (Crypto-Asset Service Providers) that:
- Perform custodial operations;
- Process customer transactions;
- Participate in the transfer of tokens or other virtual assets;
- Conduct operations through third-party providers (banks, payment institutions);
- Act as intermediaries in crypto-fund or investment-related operations.
For CASPs, the regulator expects more granular monitoring procedures, including verification of the source of funds, geographic risk exposure and the nature of customer transactions.
KYC obligations for cryptocurrency companies
KYC is a core element of Lithuania’s regulatory framework for the crypto sector. All CASPs must verify customer identities, assess risks and continuously update the collected information. These requirements are based on the risk-based approach, which is mandatory for all financial and crypto service providers operating in Lithuania.
Customer due diligence (CDD): basic requirements
Basic customer due diligence (CDD) is performed before any operations begin. Its purpose is to establish identity, determine the risk level and identify potential red flags.
CASPs are required to collect:
- The customer’s name and date of birth, or company registration details;
- An identification document (passport/ID);
- Residential or registration address;
- Beneficial ownership data (for corporate clients);
- Information on the intended purpose of the business relationship.
CDD also includes an initial risk assessment covering geographic, behavioral and source-of-funds risks.
Enhanced due diligence (EDD): when it applies
EDD is performed when a customer or their transactions present elevated risk. In Lithuanian practice, this may be triggered by:
- The customer originating from a high-risk jurisdiction (according to the EU/European Commission list);
- The use of complex or unusual ownership structures;
- Large or atypical transactions;
- Connections to PEPs (politically exposed persons).
Under EDD, the company must request additional documentation, such as proof of the source of funds, evidence of income or explanations regarding the nature of the transactions. The level of scrutiny must correspond to the level of risk.
Ongoing monitoring: continuous customer oversight
Customer monitoring is a mandatory, ongoing process throughout the entire business relationship. It includes:
- Analysing transactions for consistency with the customer’s profile;
- Detecting suspicious activity;
- Regularly updating KYC information;
- Periodically reassessing the customer’s risk level.
The regulator emphasizes that monitoring must be proportionate to the risk profile: low-risk clients are reviewed less frequently, while high-risk customer activity may require near real-time monitoring.
AML commitments: internal policies and procedures
AML obligations in Lithuania go far beyond basic KYC. Every crypto company must implement a comprehensive internal control system based on a thorough assessment of customer, transaction and jurisdictional risks. These requirements are established in national legislation and are regularly clarified by the regulator to enhance market transparency.
AML Policy and internal controls
The internal AML policy is the primary document that defines how a company identifies and mitigates potential risks.
It must include:
- A description of customer identification methods and source-of-funds verification;
- Procedures for detecting suspicious activities;
- Rules for interacting with the FCIS and submitting reports;
- Escalation mechanisms for incidents;
- Internal audit procedures and policy review requirements.
The FCIS requires all procedures to be documented and reviewed regularly. Having a formal policy without real practical implementation is considered a violation.
Risk assessment: the risk evaluation model
Every crypto company is required to conduct a risk assessment before commencing operations and update it periodically. The risk-based approach forms the foundation of this process.
The assessment must cover:
- Risks related to customer categories;
- Country and geographic risks;
- Product and service risks;
- Transaction-related risks;
- Technological and operational risks.
The law requires that the risk assessment model be tailored to the scale and nature of the company’s business rather than copied from generic templates.
Reporting obligations: notifications to the FCIS
Crypto companies are required to notify the FCIS of suspicious transactions and specific types of activity. This is one of the core obligations, and failure to comply may result in significant penalties.
CASPs must submit:
- STR/SAR (Suspicious Transaction Reports) - reports on suspicious activities;
- Notifications about service refusals due to AML concerns;
- Updates regarding changes in ownership, officers or key personnel.
Companies must file an STR before executing a transaction whenever possible, or immediately after identifying the suspicion.
Qualification requirements for AML officers and team
Lithuanian law requires every crypto company to appoint a competent AML Officer responsible for implementing all internal control procedures. The regulator emphasizes that the officer’s qualifications must align with the specifics of the crypto market and the company’s risk profile.
Requirements for AML Officer competencies
The designated AML Officer must have proven expertise in AML/KYC, including knowledge of national and EU legislation as well as practical experience with virtual assets.
Key expectations of the regulator include:
- Experience in the financial or compliance sector;
- Understanding of the crypto market and transaction-related risks;
- Skills in analysing operations and detecting suspicious activity;
- Knowledge of FCIS requirements and the ability to communicate effectively with the regulator;
- The capability to implement and revise internal policies and procedures.
Appointing a formal officer without real competence is considered a violation, and the FCIS may require the company to replace the individual.
Internal training: mandatory staff education
All employees involved in customer interaction or transaction processing are required to undergo regular AML/KYC training. This requirement applies not only to officers but also to operational, customer-facing and technical teams.
Training must cover:
- Identifying suspicious activity;
- Updates to AMLD provisions and national regulations;
- Incident response and internal escalation procedures;
- Correct preparation of reports and documentation;
- Sanctions compliance and screening requirements.
Lithuanian regulators emphasize that such training must be conducted annually or more frequently if legislation or the company’s business model changes.
How crypto-businesses in Lithuania can stay compliant: practical recommendations
Compliance with AML/KYC requirements is not a one-time task but an ongoing process that requires continuous risk analysis, regular revision of internal procedures and adaptation to new EU standards. Companies that build their compliance systems strategically reduce regulatory risks, strengthen partner trust and create a solid foundation for international expansion.
Automation of KYC/AML processes
Automation minimizes human error and enables companies to handle large volumes of data with greater accuracy.
Crypto businesses are advised to:
- Use specialized RegTech solutions for KYC, transaction analysis and sanctions screening;
- Implement transaction monitoring engines for high-volume operations;
- Ensure automatic updates of sanctions lists and PEP data;
- Apply risk scoring models tailored to the specifics of the crypto sector.
Automation is especially crucial for companies with high transaction volumes or international customer bases.
Outsourcing and RegTech
Not all companies can maintain a full in-house AML department, which is why certain compliance functions may be delegated to external experts. However, outsourcing does not relieve a company of its regulatory responsibilities.
In practice, outsourcing helps to:
- Build processes more quickly during the business launch phase;
- Gain access to up-to-date expertise and industry developments;
- Reduce staff training costs;
- Ensure independent audits of internal policies;
- Communicate correctly with the FCIS during inspections.
Companies may also combine internal resources with external providers - an approach that is particularly effective during scaling.
Periodic reviews and system audits
Regular reviews are a mandatory part of the internal control framework. Authorities expect CASPs not only to maintain documentation but to update it in accordance with real risk levels.
Periodic reviews should include:
- Reassessment of the risk assessment model;
- Updating customer KYC data;
- Testing the effectiveness of transaction monitoring;
- Updating the AML policy and operational procedures;
- Verifying the qualifications of the AML Officer and the training level of the team.
Such reviews help identify weaknesses before a regulatory inspection and adjust the system proactively.
How can Key2Law help cryptocurrency companies in Lithuania comply with AML/KYC?
Compliance has become one of the key risk areas for crypto companies in Lithuania: the quality of KYC processes, internal policies and interaction with the FCIS determines not only a successful launch but also the long-term stability of the business. Key2Law team helps companies build an AML/KYC framework that fully aligns with Lithuanian legislation, European standards and regulator expectations. We ensure not only legal accuracy but also the practical applicability of every procedure.
Key2Law supports crypto companies in Lithuania by:
- Developing complete AML/KYC policies based on the risk-based approach and Lithuanian regulatory requirements;
- Preparing documentation for/CASP registration and facilitating communication with the FCIS;
- Conducting audits of existing procedures and identifying gaps that may lead to fines or service restrictions;
- Implementing sanctions screening, transaction monitoring and EDD processes;
- Training teams, including AML Officers, and assisting during regulatory inspections.
If you want to ensure full AML/KYC compliance, minimize regulatory risks and confidently scale your crypto business in Lithuania, contact Key2Law. Our team will help you build a robust compliance system and support your project at every stage of its development.