Lithuania – Development of the Non-Bank “Fintech” Payments Sector

 

The Fintech Landscape in Lithuania 2020-2021
Invest Lithuania

If you’ve been following the news about Wirecard, you know Munich prosecutors are reportedly investigating a Euro 100 million transfer through UAB Finolita Lithuania on the suspicion that the some or all of the proceeds were transferred to Jan Marsalek, Wirecard’s fugitive Board member and CFO.

You should note and, if you haven’t, I will emphasize that there is apparently an ongoing investigation but no charges have yet been filed, nor judicial judgments issued.

As usual, the FT is keeping a close eye on developments. You are likely to find them a good source of information.

Members of the Bundestag and at least one Lithuanian (opposition) politician have criticized the Central Bank of Lithuania’s alleged “lax enforcement” and “failure to act” against Finolita.

The CBOL have vigorously rebuffed this charge.

At this stage it is premature to pronounce in favor of either of these two positions.

What we can do, however, is take a closer look at Lithuania’s non banks share of payment activity.

To see what sort of activity is taking place and assess regulatory and other risks on a macro basis.

To start, let's set the 'scene". 

As of year end 2020 Lithuania’s population was 2.8 million. As of May the estimate is 2.7 million.

2020 (estimated) GDP is some USD 55 billion which places it 80th in the world.

Per the CBOL’s 2020 annual review of banking activity as of 1 January 2021, there were 11 locally incorporated banks and 6 foreign branches operating in the country.

Despite the number of banks, the market is highly concentrated.

Two locally incorporated Swedish-owned banks (Swedbank and SEB) controlled 64% of banking assets in the country. 

Luminor Bank (DNB/Nordea) was the largest foreign branch.

Total banking sector assets were some Euros 37 billion as of FYE 2020.

According to a 2019 EBF study based on FYE 2018 financials Lithuania ranked 26^th out of the 28 states in the EU-28. In the EU (Euro area), it was 17^th.

So relatively small beer. Not a lot of prospects to expand its commercial banking sector.

A small population, modest-sized economy, and a high level of banking concentration.  

How to grow the economy?.

In 2016 Lithuania decided to aggressively pitch itself as a “fintech” center in Europe, launching a global campaign to build on prior years’ success in attracting fintechs..

It touted its multilingual, talented work force, quality of life, low taxes, low cost of living, and its “fintech friendly regulations and infrastructure”. The latter point was mentioned by 63% of respondents to a 2020 fintech survey.

In conformity with EU laws the CBOL issues Payment Institution (PI), Electronic Money Institution, (EMI) and Specialized Bank (SPB) licenses.

A PI may not hold customer funds on deposit. It makes “instant” payments.

An EMI may hold customer funds (legally not a deposit) but rather in the form of electronic money and make payments similar to a PI or issue payment instruments (prepaid cards, phone apps, etc) that allow a client to make a payment. 

Note an EMI does not issue or transact in virtual or cryptocurrencies.

Another key selling point was that the CBOL allows fintechs with PI and EMI licenses to make and receive payments through Centrolink—the CBOL’s payment system linked to the SEPA (Single Euro Payments Area).

My wiser, elder brother suggested that I not presume that readers know what SEPA payments are.  "Wise" advice. Quick summary.  SEPA is similar to the USA's ACH (Automated Clearing House) and the UK's BACS (Bank Automated Clearing System).   

Note SEPA still provides a channel for illicit activity as I hope my comment makes clear.

This is a major selling point as it gives these non bank entities access to the 36 SEPA countries, that is beyond the EU.

We will look at this topic in more detail in the next post.

By the end of 2020, Lithuania had achieved remarkable success. It has attracted a wide variety of fintechs, including major names.   

For more details download the 2020-2021 The Fintech Landscape in Lithuania from the Invest Lithuania site here.

230 fintech companies were operating in the country.

Roughly 50% have payment licenses.

Prior to Brexit Lithuania ranked #2 in the EU by the number of PI, EMI, and SPB licenses it had issued as per the graphic above.

After Brexit, it is now #1.

Think of that for a moment.

More than Germany (77), France (76), Netherlands (66), and Sweden (49).

And unlike those countries, Lithuania has a preponderance of EMI licenses.

The CBOL’s report on 2020 PI and EMI activity won’t be available until some time in July.

So we’ll have to make-do with the 2019 report.

That report discloses that in 2019 12 PI and 6 EMI licensees were restricted to payments within Lithuania and subject to caps on the amount of permitted transactions.

You will also find details there on income, market share, destination of payments, and the types of payments – cash deposits and withdrawals, automated payments, etc.  

In the next post we'll look at the share of Centrolink activity by the PI/EMI sector.

FT Exposes the “Dirty Secrets” on Infrastructure Cybersecurity

By Day Keeps the Free Market Working
By Night Redeems Children's Teeth for Cash

In this weekend’s FT Myles McCormick and Hannah Murphy wrote: “Pipeline ransom attack exposes vulnerability of American infrastructure to cyber threats”

At first glance this seemed to be “Sun rises in the East, sets in the West” article as the vulnerability of American infrastructure to cyber threats has been repeatedly “exposed”.

The Colonial Pipeline incident is not the first cyberattack rodeo in the USA as the authors note:

Since 2019, US critical infrastructure targets have suffered about 700 ransomware attacks, including 100 this year, according to data from Temple University in Philadelphia.

As I read on, it seemed more properly that the article exposed two key reasons why incidents like these occur and, thus, why infrastructure is insecure. 

Key reasons outlined below in bold. Quotes from the article in the list below each “point”.

Woefully and Criminally Unprepared

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

Governments have responsibility for being asleep at the switch on regulation. 

Though as Milton Friedman would tell you, if he could, there is no need for government regulation as the “Free” Market solves problems like this all on its own.

It’s all about the Benjamins.

1. But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly.

2. Pipeline infrastructure is largely operated by private capital, so there is often a drive to cut costs where possible.

Or, in small words, private companies avoid spending the money. 

As evidenced in the first point above, an estimated 75% of infrastructure operators. 

So it’s not the case of a few cases proving the rule about the magical prowess of the “Free” Market correct.  

But rather the overwhelming majority proving Dr. Friedman "dead" wrong.

Two further thoughts.

When the going gets tough, our national rough and tumble highly competitive private companies go running to Uncle Sugar for a handout.

1. You know them. They’re the guys who complain about welfare and how $300 a week unemployment benefits “sap the willingness of the precariat to work”.

2. While extolling how the “free” market delivers the best solutions to problems.

3. Now I’m not adverse to giving aid to those who are truly struggling.

4. Colonial Pipeline’s 2018 FYE audited report shows net profit of some US$ 470 million on total revenues of US $ 1,397 million (a very nice 33.7% net margin) and interim financials for 1Q2019 US$ 137 million in net profit (36% net margin).

5. It’s not possible to calculate a return on equity as CP has negative equity. Perhaps, due in part to a generous dividend program coupled with an earlier decapitalization (Treasury stock purchases in prior years). CP paid US $670 million dividends in 2018!

6. In light of those statistics, I think Uncle Sugar shouldn’t give them more than $299 a week lest we encourage them to slack off.

7. As you’ll note from the dearth of public information on its financials after 1Q19, CP is pretty good with keeping their financial information secure. So it’s pretty clear where their security focus is.

As to the problem being “old operational technology systems, some of which predate the internet,” having “outdated security and being difficult to upgrade”.

1. Old operational systems which predate the internet probably aren’t connected to the internet.

2. Thus, it would seem less likely to be vulnerable to hacking and capture unless miscreants were on the premises to infiltrate PLCs.

3. Analogy: If you only send snail mail, it’s unlikely that hackers are reading your correspondence.

4. In some cases if your “internet” technology or programs are “old” enough, they may be extremely difficult to hack/capture.

This is not intended as a recommendation for a Luddite return to manual or outdated systems. But rather as a counter to the “old systems” defense.

It is to repeat myself “all about the Benjamins”. 

It is a "tried and true" method to motivate folks who focus on money by "threatening" them with large fines and loss of their license to conduct business.

Profoundly Disturbing FT Article on Bitcoin and the Environment

Asleep at the Switch

 

Katie Martin and Billy Nauman had an extremely scary article in the FT on Friday 21 May.

While the main point of the article was about the amount of energy used to mine Bitcoin and its impact on the environment, it was this quote that sent the real chill down my spine. 

Tesla chief executive Elon Musk has highlighted the environmental impact of cryptocurrencies. Amid calls from climate activists for tighter rules, governments and central banks are starting to take notice.

So what the FT seem to be saying is that absent the Technoking’s statement and that of “climate activists” –who by the way have been ignored for years--, governments and central banks would still not have “taken notice”.

Thus, our fate apparently depends on the random tweets of celebrity businessmen, including one who actually thinks cryptocurrencies are investable assets and whose statements have a volatility mirroring that of Bitcoin. 

Did I mention that he has an (indirect) economic interest in a portfolio of some US $1.5 billion (cost) in Bitcoin?

Just the sort of chap one would go to for wise counsel.

What a damning statement on several levels about the official entities whose remit is, as we are told, to look out for us!

Unclear as to whether we should ascribe this sorry state to attitude or aptitude.

Or perhaps more likely to both.

This is not the only example of such behavior.

We’ve seen another just this week.

After the ransomware attack on Colonial Pipeline, the US House of Representatives “sprang” into action. Given the prior somnolence, it must have been quite a “leap”. Olympic at least.

The House Homeland Security Committee—as aptly and ironically named as the House Select Committee on Intelligence—apparently just discovered that cyberattacks and hacking pose a national security threat. 

It has in the words of the Committee’s Chairman brought a “new urgency to our work”.

Given repeated past cyberattack incidents and a manifest failure to act, it may be appropriate to remove the word “new” from the Chairman’s statement.

Otherwise, the unwary reader might be tempted to think that there was some urgency in the past.

Having made this criticism, if you’re the faithful reader of this blog, you know that I try to be fair.

I should, therefore, acknowledge Congress’s achievement in reducing pollution through the prevention of the burning of the USA flag. Achieved without a constitutional amendment or even legislation!

And I think we can be almost certain they will “stand tall” to prevent plant-based substitutes for the hamburger and beer.

So, perhaps, all is not lost.

Just most.