What should fintech companies know about internal audits?
In order to ensure the stability and transparency of the financial market, as of January 2021 the Bank of Lithuania introduced a new obligation for licensed companies to have an internal auditor. As a result, the financial market surveillance authority will pay more attention as to whether and how internal audit functions are implemented in Electronic Money Institutions (ELMIs) and Payment Institutions (PIs). What should ELMIs and PIs take care of to avoid errors and possible penalties related to internal audit? What internal resources will these institutions have to use or is it better to hand over the internal audit functions to external service providers, such as consultants or auditors? Ieva Bakutienė, Licensing Services Manager at Noewe, further expands on the topic.
Ensuring of the internal audit function is not a new thing to financial market participants, as the need for it was already provided for in the past, for example, in the Law on Electronic Money and Electronic Money Institutions and the Law on Payment Institutions. However, the regulation that has been in force up to now has been rather declaratory and has given rise to a number of questions among market players, as the legislation only provided for a formal requirement for ELMIs and PIs to ensure that internal audit functions are performed.
The detailed regulation of the implementation of the internal audit function entered into force in January 2021. The amendments were adopted by the Board of the Bank of Lithuania in July 2020, which passed a resolution approving the description of the requirements for the management system of ELMIs and PIs and the protection of the funds received by them. The latter shall, inter alia, define more specific guidelines on how internal audits are to be performed, while also emphasizing the binding nature of ensuring this function.
In principle, before the new resolution of the Bank of Lithuania was passed, the implementation of the internal audit function was left mostly up to the institution itself. As a result, most ELMIs or PIs have so far often performed internal audits in a rather fragmented manner, for example by auditing only the activities related to compliance with the applicable anti-money laundering requirements.
Meanwhile, attention and resources to internal audits in relation to other operations were not allocated at all or were significantly limited. For example, the practical implementation of many procedures developed by ELMIs and PIs at the licensing stage in relation to their management system and internal control remained at the bottom of the ‘to do’ list even after they actually launched their operations on the market.
Thus, the entry into force of the revised regime should help reduce the number of such cases by providing financial market participants with more specific guidelines and requirements based on which the functionality of internal audits must be ensured.
In many cases, the fintech companies operating in Lithuania are foreign-owned entities and are part of international corporate groups. The latter often tend to delegate to the position of internal auditors ‘inhouse’ individuals with foreign experience. Although they are well-versed in the peculiarities of ELMIs’ or PIs’ operations, it is rather complicated for them to provide a competent and reasoned audit report on an institution operating in Lithuania due to the lack of knowledge related to the requirements of national legislation and related practical implementation.
Effective internal audit is not just a formal requirement. It is a significant tool to help businesses identify risks in a timely manner and to take respective preventive measures in order to ensure business continuity, stability, trust and financial benefits.
Expert comment
Ernestas Švoba, Project Lead at UAB Nordgain, which is part of Noewe group, notes that the market has recently seen an upsurge in internal audit services. This can be attributed both to the emergence of internal audit regulation and to the strong growth of the fintech services market. One can agree that fintech companies are often part of international corporate groups and tend to have in-house internal auditors. However, so far the ELMIs or PIs operating in Lithuania are young organisations, still in the early stages of their life cycle, and they often choose external consultants to perform the functions of internal auditors. As long as the company is young, its processes need not only to be supervised but also created, taking into account the requirements of the local regulator. Consultancy companies gain a competitive advantage over the intra-group auditors in this case, as they have already introduced these processes with a large number of clients and can therefore ensure their proper implementation from the outset.