Changes in legislation regarding management system, internal control and risk management system

Legal act: Resolution of the Board of the Bank of Lithuania No. 03-106 of 23 July 2020, Amending Resolution No. 247 of the Board of the Bank of Lithuania of 30 December 2009 on Requirements for Electronic Money Institutions and Payment Institutions Regarding Internal Control, Risk Management and Safeguarding of Received Funds.

Effective date: 1 January, 2021.

Amendment: 

The basic requirements for the management system, internal control and risk management system shall be specified for institutions:

  • imposed obligations to the Institution’s supervisory and management bodies – to approve the description of the Institution’s organizational and operational structure, risk management strategy, descriptions of the Institution’s internal control procedures, internal documents establishing the process of safeguarding electronic money holders and / or payment service users’ funds, accounting of such funds and internal control procedures.
  • criteria for assessing reliability of the management system are established. Institution’s management system is considered reliable if the Institution has designated persons responsible for control functions (persons responsible for risk management, compliance with legal requirements and the institution’s internal documents, including compliance with money laundering and terrorist financing prevention, risk management and supervision of the outsourcing, organization of internal audit). In addition, the Institution has internal accounting procedures for the management of financial information and reporting that enables Institution to use, manage and dispose its assets in a safe and reliable manner. Also, the Institution separately accounts for funds of electronic money holders and / or payment service users and other funds held by the Institution, applies other accounting procedures that enable the Institution to properly implement the requirements for safeguarding electronic money holders’ and / or payment service users’ funds. The institution has an approved business continuity plan to ensure the institution’s ability to continuously carry out activity and to limit losses in the event of a business disruption.
  • requirements for internal control and risk management system and internal audit are established. Person responsible for the implementation of the risk management function will have to submit a risk map of the Institution to the management body of the Institution at least on a quarterly basis and an annual risk management report once a year. The internal audit process within the institution must include the following stages: internal audit planning; performing internal audit; presentation of internal audit results; control over the elimination of deficiencies identified during internal audit and implementation of internal audit recommendations.

Recommendation:

To prepare/update internal documents for management system, internal control and risk management system, which should include, inter alia:

  • a description of the organizational and operational structure of the institution,
  • risk management strategy,
  • descriptions of the institution’s internal control procedures,
  • internal audit procedures,
  • accounting procedures for the management and reporting of financial information.

To ensure a clear and effective organizational structure (describe internally), including those responsible for control functions, i.e. persons responsible for:

  • risk management,
  • compliance with legal requirements and the Institution’s internal documents, including compliance with money laundering and terrorist financing prevention requirements,
  • for risk management and supervision of outsourcing,
  • for organization of internal audit.

Prepared by associate, assistant attorney-at-law Eglė Juškaitė.

Newsletter SubscriptionGet in touch