The Bank of Lithuania has analyzed how electronic money (EMI) and payment institutions (PI) are implementing the reliability requirements of the internal control and management system. It was found that only 17 % EMI and PI meet all the requirements. As a result, ECOVIS ProventusLaw compliance experts have prepared key guidance, examples of good practice, and improvements to be made in the implementation of the assurance requirements for the internal control, risk management, and governance system.
The Bank of Lithuania has found that a significant part of the internal control documents of electronic money and payment institutions have not been approved by the company’s management bodies and are not regularly reviewed. In addition, it was pointed out that the functions of managers and employees, limits of responsibility, and accountability often are not unregulated. Some of the EMI and PI have no designated persons responsible for control functions. Unregulated activities of the supervisory body of institutions and unregulated performance of their functions, management and data processing, transmission, and storage were found too. What is more, unregulated risk management strategies, risk management maps often are not prepared, risk analysis and assessment are not performed too.
ECOVIS Proventus Law has prepared a compliance check-list essential for all EMI and PI to ensure the reliability of the internal control and governance systems. The proper and smooth implementation of the requirements for the reliability of the internal control and governance system allows FinTech companies not only to avoid the sanction of the Bank of Lithuania, but also to gain the clients credibility.
Policies
- The Company must implement the requirements for the reliability of the internal control and governance system.
- Internal control and governance documents must be approved by the management body and regularly updated.
- The Company must have internal rules on review, renewal and changes of the policies and procedures applied in the Company.
- The employees must be acquainted with the HR policy and other procedures. The familiarisation must be recorded and retained.
Organizational structure
- The Company must have an approved organizational structure.
- The roles, responsibilities and accountabilities of units, managers and staff shall be defined.
- The Company shall appoint the persons responsible for the control functions: local manager, risk officer, AML compliance officer, Compliance officer, Information security officer, internal audit, etc.
Bodies of the Company
- The Company must have internal control policies and procedures that would define the functions of the Company’s governing bodies.
- The activity and functions of the supervisory body (or the body that performs supervisory functions if a supervisory body (Supervisory Board) is not formed at the Company) shall be clearly set and implemented.
- There must be a collection and storage of the information provided for the supervisory body (or the body that performs supervisory functions if a supervisory body (Supervisory Board) is not formed at the Company) and management body of the Company.
Reporting to authorities
- The Company must use the reporting calendar or other similar internal tool to follow the deadlines for collecting information and submission to the Bank of Lithuania and other authorities.
IT system management
- The Company has to have the regulation of systems management and data handling, transmission, and storage.
- The Company must assess the possibilities of using or developing new IT technologies in business to ensure timely collection, processing and presentation of information.
Risk management
- The Company shall have a risk management strategy approved by the supervisory body (or the body that performs supervisory functions if a supervisory body (Supervisory Board) is not formed).
- The Company shall perform the risk analysis and evaluation and implement risk assessment processes properly: risk management methods, development of new risk instruments, etc.
- The Company must hold operational risk and incident registers, risk management and communication plans.
- The Company must provide the risk management report to the management body at least once a year and a risk map quarterly.
- Employees must be familiar with the procedures for performing the risk assessment and its amendments to understand the process, stages, and functions.
Ecovis ProventusLaw is ready to share its knowledge and practice if you need assistance in implementing the reliability requirements of the internal control and management system.