RegRally Insights: Regulatory Compliance Updates, October 2025

Dear reader,

Welcome to our all-in-one essential compliance newsletter - Regulatory Compliance Update, which you should familiarise yourself with this month.

Here's what our team of experts has prepared for you in our October 2025 issue.

AML/CTF Regulation

EBA Assesses Growing White Labelling Practices Across EU Financial Sector

The European Banking Authority (EBA) has released its first in-depth report on white labelling in EU financial services, revealing its widespread and expanding use—especially in payments, credit, and open banking. Around 35% of surveyed EU banks engage in such arrangements, often with non-financial partners, including retailers, telecoms, and Big Tech companies.

While white labelling fosters innovation and financial inclusion, the EBA warns of rising compliance, AML/CFT, and consumer protection risks due to unclear accountability, partner-dependent KYC processes, and limited supervisory oversight. To address these issues, the EBA will integrate white labelling into its 2026 Union Supervisory Priorities and enhance supervisory tools to promote consistent oversight across the EU, without requiring legislative changes.

Source

EMI/PI Regulation

New EU Fraud Prevention Measure: Beneficiary Name Check Service Launched

Banks, credit unions, and electronic payment institutions across the EU have implemented a new "beneficiary name check" service designed to prevent fraud and misdirected payments. This service ensures that the name of the payment recipient matches the account holder's name before a transaction is confirmed.

Key Details:

• Purpose: To reduce fraud and accidental payments by verifying recipient names
• Implementation: The Bank of Lithuania has developed the necessary infrastructure within the CENTROlink payment system, with 70 financial institutions already offering the service
• Verification Messages: Users will receive one of four messages during the payment process:
  • Full Match: Names fully match
  • Close Match: Minor discrepancies; corrected information provided
  • No Match: Significant differences indicating possible fraud or error
  • Unable to Verify: Issues like transfers outside the euro area or technical problems
• Privacy Note: Verification results are only visible within the payment provider's platform, and users will not receive emails or SMS for verification requests

Source

Personal Data Protection and ICT Regulation

EDPS Releases Updated Guidelines on Generative AI and Data Protection

The European Data Protection Supervisor (EDPS) has published revised guidelines addressing the use of generative Artificial Intelligence (AI) and the processing of personal data by EU institutions (EUIs). This update reflects the rapid advancements in technology and the unique challenges posed by generative AI systems.

Key Updates:

• Commitment to Compliance: The guidelines reaffirm the EDPS's commitment to supporting EUIs in fulfilling their data protection obligations under Regulation (EU) 2018/1725
• Refined Definition: A more precise definition of generative AI is provided for improved understanding and consistency
• Compliance Checklist: A new, action-oriented checklist helps EUIs assess the legality of their data processing activities
• Clarified Roles: Guidance on the roles of EUIs—whether as controllers, joint controllers, or processors—is detailed to aid in compliance
• Advice on Data Rights: The guidelines include specific recommendations regarding lawful bases, purpose limitation, and managing data subjects' rights in the context of generative AI

The revised guidance emphasises the EDPS's proactive role in overseeing technological developments while ensuring privacy and data protection. The EDPS will continue to monitor the evolution of generative AI and update its guidance as needed to address emerging issues.

Source

Financial and Economic Sanctions

EU Approves 19th Sanctions Package Against Russia

The European Union has adopted its 19th sanctions package against Russia, expanding restrictions in the energy, finance, and technology sectors.

Key Highlights:

• LNG Ban: A phased ban on Russian liquefied natural gas (LNG) will end short-term imports within six months and all long-term contracts by the end of 2027
• Asset Freezes: Additional Russian banks, crypto service providers, and intermediaries involved in sanctions evasion face extended asset freezes and restrictions
• Diplomatic Movement: Tighter limits are imposed on the movement of Russian diplomats, alongside enhanced coordination for enforcement and tracking circumvention

Source

Labour Law

VDI Reminder: One-Hour Reduction in Working Hours Before Public Holidays

The State Labour Inspectorate (VDI) has reminded employers of the requirement to reduce working hours by one hour on days leading up to public holidays. This rule applies to all employees, including part-time and on-call workers.

Exemptions: Employees with reduced working hours (e.g., healthcare professionals, teachers, and public sector workers with childcare responsibilities) are exempt from this reduction.

Key Points:

• If an employee holds multiple positions, the total working day is shortened by one hour for all roles combined
• Shifts that start the day before a public holiday and end on the holiday itself are also reduced by one hour
• Working hours are reduced before each consecutive public holiday
• For employees working two shifts before a public holiday, each shift is reduced by one hour

Consumer Protection

Lithuanian Central Bank Urges Crypto Providers to Complete Licensing Before Deadline

The Bank of Lithuania is reminding virtual currency exchanges and wallet operators that the transition period for obtaining a license ends on December 31, 2025. Only licensed entities will be permitted to offer crypto-asset services, and both providers and clients must prepare for this new regulatory framework.

Current Status: Nearly 50 companies have applied for a crypto-asset service provider license since early 2025. Still, only one has been approved, as many applications have lacked sufficient preparation to meet the minimum requirements.

Important Actions:

• Operators not seeking a license must promptly inform clients about ceasing operations and provide clear instructions for asset withdrawals
• Continuing unlicensed activities after the deadline may lead to blocked websites and being listed as illegal entities

Crypto Regulation

ESMA Clarifies Transitional Rules for "Legacy" Crypto-Assets Under MiCA

ESMA has confirmed that crypto-assets admitted to trading before 30 December 2024 ("legacy tokens") are only subject to MiCA marketing communication requirements, without an immediate obligation to issue new white papers. However, trading platform operators must ensure that by 31 December 2027, each listed legacy token has a MiCA-compliant white paper prepared, notified, and published. Other CASPs are only required to provide links to existing registered white papers. Tokens not traded on platforms may remain without MiCA white papers beyond the transition period. This three-year window positions trading platforms as key compliance gatekeepers for pre-MiCA crypto-assets.

---

Attention: Mandatory Requirements

Ensure DORA Compliance: Conduct a Gap Analysis Today

The European Union's Digital Operational Resilience Act (DORA) enhances IT security for financial institutions, including banks, payment and e-money institutions, insurance companies, and investment firms. To achieve full compliance, conducting a gap analysis is essential in identifying and addressing any areas of non-compliance.

At ECOVIS ProventusLaw, we offer a DORA Compliance Self-Assessment Tool, enabling businesses to:

• Assess ICT risk management, incident reporting, resilience testing, and third-party oversight
• Review compliance status with over 200 targeted questions
• Strengthen digital resilience and mitigate cyber risks

Gap analysis is critical to ensure your organisation fully complies with DORA's stringent requirements. Contact us at vilnius@ecovis.lt to access the tool and receive expert advice.

Ensure Compliance with the EU Whistleblower Directive

The EU Whistleblower Directive is mandatory for financial institutions, as outlined in Resolution No. 03-33 of the Board of the Bank of Lithuania. This resolution mandates the establishment of a confidential and secure reporting channel for breaches of EU law. It establishes minimum standards for reporting mechanisms and safeguards whistleblowers from retaliation, thereby strengthening Environmental, Social, and Governance (ESG) principles throughout the European Union.

We offer a Whistleblowing System that helps companies comply with the EU Whistleblower Directive. Please contact us at vilnius@ecovis.lt.

Free NIS2 Self-Assessment Tool

ECOVIS ProventusLaw offers a free, user-friendly NIS2 self-assessment tool to help organisations evaluate their alignment with the Cybersecurity Act and the Lithuanian Government's NIS2 implementation requirements.

Upon your request, the ECOVIS ProventusLaw team can conduct a compliance analysis, identify gaps, provide a further action plan and recommendations, and assist you in implementing the above requirements.

---

Subscribe now and get RegRally Regulatory Compliance Updates, an overview of the most significant monthly Regulatory news, and expert recommendations!

Your experienced advisor,
ECOVIS ProventusLaw