FinTech

Other IT Law areas of expertise:

FinTech is no longer an add-on to traditional banking and finance; it is the backbone of modern payment services, digital banking, wallets, alternative lending, embedded finance solutions, and capital markets innovation.

From e-KYC and biometrics, through transaction processing and 3-D Secure regimes, to tokenization and digital assets, technological development is accelerating user expectations and reshaping the regulatory landscape.

Zunic Law helps both established institutions (banks, insurers, payment processors) and fast-growing startups develop FinTech products are being developed more quickly, safely, and compliantly in Serbia, the Western Balkans, and the EU.

Why Zunic Law for FinTech?

Deep industry understanding: we combine expertise in payment services, digital banking, e-commerce, and wallet/gateway architectures.
Borderless regulation: alignment with Serbian rules (e.g., National Bank of Serbia regimes) and relevant European frameworks (PSD2/PSD3, DORA, MiCA, NIS2, GDPR, eIDAS), including local implementation and supervisory aspects.
End-to-end approach: from product legal design, licensing, and contracts to operational compliance, training, and horizon-scanning of regulatory changes.
Pragmatic delivery: rapid risk identification and prioritization—focused on what makes the biggest difference for product launch and oversight.

Our Approach: Innovation That Is Both Ethical and Compliant

The future of finance is an ecosystem: Open Banking and Open Finance enable secure data sharing via APIs, while analytics and automation improve decision-making, prevent abuse, and enhance user experience.

Our task is to frame innovation with clear legal models, contracts, and policies so it develops responsibly and sustainably—with full compliance in data protection, information security, and financial supervision.

Key Practice Areas (Overview)

Data analytics and automation in finance (governance & compliance)
Open Banking & Open Finance
Digital banking, e-KYC, and digital identification
Payments, payment gateways, and processors (PI/EMI models)
Digital and mobile wallets
Blockchain, crypto, and digital assets (tokens, custody, licensing)
Alternative lending & BNPL
InsurTech / digital insurance
E-commerce and embedded finance
Data protection (GDPR) and cyber security
Consumer protection and marketing compliance
AML/CFT and sanctions regimes
Competition and antitrust
Investments, M&A, and joint ventures
Vendor risk management and cloud outsourcing
Licensing and relations with regulators
Regulatory monitoring and internal training

Below are details by area, with an emphasis on the concrete results we deliver.

1) Data Analytics and Automation in Finance: From Idea to Responsible Deployment

Model and data governance: policies for responsible use, governance structures, bias-risk assessments, attribute explainability, and decision audit trails (e.g., scoring, fraud prevention, customer support).
Impact assessments and compliance: DPIA/LIA, fair-treatment assessments, integration with existing GDPR, DPA, and ISMS policies.
Data and privacy: legal bases for processing, minimization, pseudonymization, retention, dataset governance, and training-set quality.
Vendor and model risk: contracts (on-prem/cloud), SLA/OLA, liability, intellectual property, exit strategy, and portability.

Result: automation that is measurable, verifiable, and compliant, with clear controls for supervisory reviews.

2) Open Banking & Open Finance: APIs That Work for Users and Regulators

Legal models for data sharing and account access (AISP/PISP), boundaries of data use, access logs, and retention.
Contracts between banks, TPPs, FinTech partners, and infrastructure providers; allocation of liability and incident-response obligations.
Transparency policies: explaining to users how and why data is used; SCA and easily revocable consent.

Result: interoperable, privacy-by-design solutions that respect users and meet supervisory requirements.

3) Digital Banking, e-KYC, and Digital Identification

Legal architecture for remote onboarding, video identification, and use of qualified certificates/seals (eIDAS context).
KYC/CTF policies, risk-scoring scenarios, and residual-risk assessments by product/segment.
UX compliance: notices, consent, transparent terms, and user-understandable anti-fraud controls.

4) Payments and Payment Gateways: Licensing, Cross-Border, and 3-D Secure

Structures for PI/EMI models, agent/distributor arrangements, and cross-border services.
Contracts with merchants, acquirers, and card schemes; chargeback regimes, 3-D Secure/SCA, tokenization, and card-data storage.
Compliance with rules on data protection, record-keeping, fraud management, and incident handling.

5) Digital and Mobile Wallets: Security and Compliance in Practice

Licensing and cooperation models with banks/processors; white-label and co-branding.
Rules for tokenization, QR payments, and P2P transfers; KYC/AML, limits, supervision, and reporting.
Terms of use, fees, marketing claims, and customer support (complaints, refunds, dispute resolution).

6) Blockchain, Crypto, and Digital Assets

Structures for token-related projects (utility, payment, asset-referenced), NFTs, and loyalty programs.
Custody solutions, security and contractual frameworks, access, and asset segregation.
AML/CTF programs for crypto providers, the travel rule, sanctions, and cross-border issues.
Preparation for relevant European regimes (e.g., MiCA) with local implementation and coordination with supervision.

7) Alternative Lending & BNPL

Peer-to-peer, crowdfunding, and embedded-credit models; consumer and micro-loans.
Creditworthiness assessment, fair cost disclosure, and fraud detection; collections and restructuring policies.
Partner contracts (merchants, PSPs, rating agencies) and secondary debt-market arrangements.

8) InsurTech / Digital Insurance

Use of data in pricing, underwriting, and claims; automated decision-making under human oversight.
Partnerships between insurers and tech companies, outsourcing, product governance, and transparency to users.
Compliance in advertising, aggregators (comparators), and user interfaces.

9) E-Commerce and Embedded Finance

Integrated payments, merchant-of-record models, and checkout financing (BNPL).
Consumer rights, returns, dispute mechanisms, geo-blocking, and platform competition rules.
Contracts with PSPs, schemes, and marketplace partners; risk allocation, security, and supervisory obligations.

10) Data Protection (GDPR) and Cyber Security

DPIA/LIA assessments, minimization and pseudonymization; data processing agreements (DPAs) and SCCs for cross-border transfers.
Incident response: policies, playbooks, notification timelines and records; coordination with security teams.
Mapping data flows for analytical models, model cards, and access control to payment and transaction data.

11) Consumer Protection and Marketing Compliance

Fair advertising and avoidance of dark patterns; clearly displayed fees and terms.
Transparent comparisons, disclaimers, and oversight of marketing partners/affiliate networks.
Complaints handling, ADR/ODR mechanisms, and fast procedures for resolving user disputes.

12) AML/CFT and Sanctions

Compliance programs: policies, procedures, risk matrices, customer profiling, transaction monitoring, and SAR/STR filings.
Screening and list management: PEPs, sanctions, adverse media; record-keeping and audit trails.
Training, testing, scenario tuning, and continuous improvements with risk and data teams.

13) Competition and Antitrust

Platforms and marketplaces: MFN clauses, self-preferencing, exclusivities, and interoperability.
Legal framework for distribution, partnerships, and joint-development projects.
Compliance programs and dawn-raid preparedness.

14) Investments, M&A, and Joint Ventures

Term sheets, SAFE/convertible instruments, SHAs, and ESOP plans.
Regulatory due diligence (licenses, compliance, IP, data), approvals, and post-closing integration.
Strategic partnerships with banks/insurers and build-operate-transfer models.

15) Vendor Risk Management and Cloud Outsourcing

Vendor categorization, SLA/OLA, audit rights, and security requirements.
Cloud and SaaS agreements: availability, continuity, exit plans, and data portability.
Compliance with operational-resilience frameworks (e.g., DORA) and internal IT/InfoSec standards.

16) Licensing and Relations with Regulators

Mapping requirements and the licensing path (PI/EMI, payment activities, investment services, crypto services).
Preparation of documentation, policies, and procedures; risk-management programs and internal controls.
Communication with supervisors, responses to inquiries, remediation, and corrective-action plans.

17) Regulatory Monitoring and Internal Training

Horizon scanning: timely updates on new rules and guidance.
Workshops for product, legal, compliance, risk, and engineering teams – compliance-by-design from day one.
Product-launch checklists and quarterly “health-check” reviews.

What Collaboration with Us Looks Like (4 Steps)

Rapid discovery — a short workshop with key teams (product, legal, compliance, risk, data/IT).
Compliance mapping — gap analysis, priorities, plan, and KPIs (what, when, who).
Implementation — drafting policies/procedures, contracts, training, and technical controls.
Operational support — ongoing advice, monitoring, policy updates, and audit/supervisory preparedness.

Examples of Completed Projects (Non-Confidential)

Payment institution (Serbia/EU): licensing path, merchant and acquirer contracts, 3-D Secure and SCA policy, incident playbook.
Digital wallet: cooperation model with a bank, tokenization and P2P transfers, compliant onboarding and UX.

Tijana Žunić Marić

Nemanja Žunić

Frequently Asked Questions (FAQ)

Do you support startups without an in-house legal team?

Yes. We offer an “MVP compliance” minimum and gradually roll out policies as the product and volumes grow.

Can we start in Serbia and plan EU expansion in parallel?

Yes. We design a framework compatible with Serbian rules and relevant EU regimes, with local tailoring

How do you approach due diligence in FinTech M&A?

We combine classic legal DD with specific regulatory & data checks (licenses, AML, data protection, security).

Do you provide team training?

Yes. Tailored workshops (product, compliance, engineering), practical checklists, and industry-based examples.

How long does licensing take, and what is critical?

It depends on the model (PI/EMI, etc.) and documentation readiness. The critical factors are a clearly defined business model, risk controls, and policies.