Risk Management in Fintech - Mission Possible or a Regulatory Nightmare?

For several years now, we have witnessed impressive growth within Lithuania’s Fintech ecosystem. However, recent statistics indicate that this development is no longer just quantitative. The increasing financial independence of companies, the expanding client base and the growing number of professionals working in the sector reflect that many of these companies have clear goals and well-defined strategies - in other words, they hold the key to sustainable and high-quality growth.

Still, sustainable growth in this sector is inseparable from mature, risk-oriented operations. Fintech activity is being developed not only within a national framework but also in a highly regulated international environment, where the ability to identify and manage risks in a timely manner becomes a fundamental factor for long-term success.

Yet, in practice, some market participants continue to struggle with significant internal compliance issues, as reflected in extended licensing timelines and, in some cases, decisions to exit the market altogether (either voluntarily or as a result of regulatory intervention). UAB “Finansinės paslaugos “Contis”, an electronic money institution with seven years of operation in Lithuania, serves as a noteworthy example. Its withdrawal from the market came in the wake of regulatory intervention  that temporarily restricted its ability to onboard new distributors and intermediaries. The regulatory response was based on critical gaps in the company’s risk management framework.

Among the market exits that have had a significant impact on the Fintech ecosystem also are well known cases of UAB Foxpay and UAB kevin EU. In both of them, license revocation was prompted by extensive and systemic compliance failures, including the lack of any functioning risk management system.

It goes without saying that regulatory responses to non-compliance are far from nominal - they have a direct impact on a firm's ability to conduct business, highlighting the strict regulatory expectations surrounding risk management in the Fintech industry. However, it is difficult to argue that regulatory non-compliance results from a lack of clarity or excessive complexity in the applicable requirements. Despite the demanding nature of the regulation, it remains well-defined and accessible. Regulatory authorities have provided detailed guidance on risk management, and industry experience confirms that effective risk management systems can be successfully implemented.

It is also worth emphasizing the risk management approach established by regulator for Fintech firms, which supports a stage-specific implementation of risk management systems in line with a company's growth and maturity. The earlier the stage of development, the simpler the requirements. As a company grows, the scope of regulatory obligations expands accordingly - but so do internal capabilities, team maturity, and support from external advisors, enabling firms to meet regulatory demands.

What are the most common causes leading to ineffective risk management systems?

1. Incomplete risk identification

   It is understandable that the primary objective for any Fintech company is growth and financial return. However, focusing solely on financial risk - as many companies do - is not sufficient. In practice, failure to timely identify and manage legal, reputational and regulatory risks can lead to regulatory sanctions that may essentially block a company’s ability to operate.

   
   

2. Use of template-based or inappropriately adapted models

   Many companies rely on off-the-shelf risk management frameworks or adopt models from unrelated sectors. However, effective risk management in Fintech should evolve alongside the company’s growth and maturity. It requires ongoing review and adaptation to reflect changes in business scale, market dynamics, and risk appetite. In practice, many firms establish their risk management systems during the initial licensing phase and subsequently fail to update them, resulting in outdated and misaligned risk management.

   
   

3. Limited involvement of executive leadership

Ineffective risk management is often linked to minimal executive oversight. In many Fintech companies, risk reporting occurs only once per year, which may be insufficient given the sector's dynamic nature. This limited engagement can point to deeper inefficiencies in governance and risk culture.

4. Data Relevance and Quality

   Even if risks are correctly identified, proper risk mitigation cannot be ensured if the company tracks irrelevant or no indicators at all - particularly those that could identify risks at the earliest stage. For example:

   • Inadequate capital impact assessment or excessive risk tolerance can lead to significant capital loss.

   • Delayed recognition of regulatory changes may impede timely implementation of critical compliance measures.

   • Failure to monitor IT or technology incidents increases the risk of major disruptions, data breaches, and reputational harm.

     
     

And yet – a challenging but achievable mission

Fintech sector regulation is undeniably strict, but most would agree that without high standards, it would be difficult to maintain Lithuania’s reputation as a reliable and attractive jurisdiction. Of course, completely eliminating risk is a complex task, sometimes even unrealistic, particularly given the external and often uncontrollable nature of many risks. However, appropriate, timely, and regulation-compliant preparation with proportionate resource allocation remains the only path toward sustainable success.