The amended Law on Payment Services introduces significant changes for the fintech industry
In early August 2024, the Law Amending the Law on Payment Services (hereinafter: the “Law”) entered into force, aiming to enhance the payment services market in Serbia, foster the digitalization of financial services, and align the regulatory framework with that of the European Union, specifically with the PSD2 Directive. The Law will become applicable as of May 6, 2025.
The primary objectives of the Law are to encourage innovation, increase competition and transparency in the provision of payment services, and ensure greater consumer protection and security in payment transactions.
The key novelty introduced by the Law is the implementation of open banking in Serbia. In broad terms, open banking represents a regulatory and technological framework that enables the secure sharing of payment service users’ data between banks providing payment services and third parties – non-bank payment service providers.
To facilitate this concept, the Law defines two entirely new types of payment services:
(i) payment initiation services (“PIS”);
and
(ii) account information services (“AIS”).
These payment services enable the expansion of new business models and services, presenting a significant opportunity for innovative companies and startups operating in the fintech industry. And where there is innovation, there are also tax incentives.
In addition, the Law establishes clear rules applicable to all providers of innovative payment services, ensuring a level playing field that enhances market efficiency and service diversity. A particular emphasis is placed on the security of electronic payments and the protection of users’ personal data, including measures for strong authentication and the management of operational and security risks. Failure to comply with these requirements may result in severe penalties, not only under the Law but also by personal data protection regulations.
Overall, the adoption of these amendments brings substantial benefits to all payment service users by enhancing consumer protection, expanding the range of available services, and reducing costs, while simultaneously contributing to the development and improvement of the payment services market in Serbia.
Below is an overview of some of the most important novelties introduced by the Law.
Open Banking: What Does It Mean?
Open banking entails the secure sharing of payment service users’ data between banks as payment service providers and other (non-bank) payment service providers. This is only possible with the explicit consent of the payment service user and through software solutions designed to ensure the secure exchange of such data.
To implement this concept, the Law introduces two new types of payment services:
(i) PIS – allows users to initiate payment transactions from their accounts held with other payment service providers, creating an alternative to card payments for online purchases
and
(ii) AIS – provides a consolidated overview of all a user’s payment accounts held with different payment service providers, enabling better financial control and expense categorization.
PIS and AIS can be offered by existing payment service providers, such as banks, electronic money institutions, payment institutions, and public postal operators. However, AIS is subject to more flexible regulations, allowing these services to also be provided by entrepreneurs. Banks will generally be required to grant access to PIS and AIS providers, with limited grounds for refusal – such as unauthorized access or suspected fraud – subject to notification of the regulator.
Currently, payment initiation by users is a prerequisite for executing payment transactions via mobile or online banking, as well as for card payments at physical or online points of sale. However, within the framework of open banking, payment initiation constitutes an additional service provided by a licensed provider at the user’s request, from an account held with another payment service provider.
In practice, this service is particularly relevant for e-commerce. When a user selects a product on an online store via their mobile phone, enters their account details, and chooses a payment instrument such as PayPal, card payment, or a Payment Initiation Service Provider (“PISP”) option like “Pay by bank” or “Pay through bank,” they utilize open banking services. Upon selecting PISP, the user chooses the bank or payment institution through which they wish to process the payment and confirms their identity, thereby authorizing the transaction. Some of the most well-known PISPs in Europe include the UK-based Volt and Sweden’s Trustly.
Before initiating a payment transaction, your Payment Initiation Service Provider (“PIS Service Provider”) is required to provide you with clear and comprehensive information.
Once you initiate a payment transaction through the service provider, they must immediately provide you, and if necessary, the payee, with the following information: confirmation of the successful execution of the payment order, a transaction identification code, and any fees charged by the PIS Service Provider in connection with the initiated transaction.
The main advantage of this service compared to existing online payment methods is the ability to conduct transactions without using payment cards. Instead, it operates as a standard transfer order, as the new payment service provider gains access to the user’s bank account based on the user’s consent. This creates opportunities for new payment solutions that are easier to integrate and have lower costs for domestic online merchants.
To illustrate the new amendments to the Law, imagine the following situation.
Ana decides to buy a new mobile phone from her favorite online store. Until now, she has usually used her payment card or PayPal for payments, but this time, she noticed a new option – “Pay by bank” or “Pay through bank” via the PISP (Payment Initiation Service Provider) service.Ana selects the phone she wants, adds it to her cart, and proceeds to checkout. Instead of entering her card details, Ana chooses the PISP option. A list of banks and payment institutions that her online store cooperates with appears. Ana selects her bank from the list, enters her account details, and confirms her identity through the mobile banking app.
At that moment, the PISP service initiates the payment on Ana’s behalf from her bank account, without requiring her to enter her account details directly on the store’s website. Ana quickly receives confirmation that the payment has been made, and her new phone is on its way.
Additionally, Ana can now use another advantage of open banking – a consolidated view of her accounts. Through the same application, Ana can track the balances of all her accounts, even those held with different banks, in one place. So, while waiting for her new phone, Ana quickly checks her account balances and plans her next purchases.
Availability of Funds
The Law further mandates rules for confirming the availability of funds when using payment cards. When initiating a payment transaction via payment card, the payment service provider maintaining the payer’s account is required to immediately respond to a request from another service provider (e.g., the PIS Service Provider), confirming the availability of funds in the payer’s account. This confirmation is strictly limited to a “yes” or “no” response without disclosing the exact account balance and may only be used for executing the specific payment transaction.
PIS Service Providers are authorized to use payment initiation services exclusively with the explicit consent of the payment service user. PIS implies that the provider must not hold the user’s funds or access their personalized security credentials unless necessary for executing the transaction. Additionally, the PIS Service Provider must ensure the secure transmission of data and communication with the payment service provider maintaining the payer’s account.
Similarly, AIS enables payment service users to access their financial information online, subject to their explicit consent. The provider of this service must maintain the confidentiality of user and transaction data, using it solely for the purpose of providing account information services, without altering the data or using it for any other purposes.
These regulations ensure the secure and protected use of payment services while safeguarding the privacy and integrity of users’ financial data.
Testing Innovative Financial Services Under Regulatory Supervision
The Law introduces the possibility of applying a Regulatory Sandbox in the field of payment services, representing a significant step toward fostering innovation in Serbia’s payment services market. This measure aims to improve the position of fintech companies and enhance competition in the open banking sector, where fintech companies and the banking sector are direct competitors. Previously, the ability to develop solutions that did not fully comply with payment services regulations existed within the framework of the limited network exemption. However, with the introduction of specific rules under the regulatory sandbox, companies and payment service providers would be able to test new or significantly improved payment services across various payment service types without the immediate obligation to meet all regulatory requirements or bear the costs of compliance.
The National Bank of Serbia (“NBS”) is authorized to define specific conditions under which exemptions from the application of all or specific provisions of the Law may be granted for a defined period, exclusively for the purpose of testing an innovative service. To qualify for the regulatory sandbox, a service must demonstrate a certain level of innovation and constitute a new or significantly enhanced service compared to existing payment services available in Serbia.
The introduction of such rules is expected to be part of a continuous regulatory policy aimed at encouraging innovation in payment services. As previously mentioned, this mechanism could be particularly beneficial for fintech startups and new market entrants looking to test their business models without incurring significant initial regulatory costs or compliance risks.
Foreign E-Money Issuers – New Rules and Restrictions
The amended Law on Payment Services introduces stricter rules for foreign e-money issuers (“EMI”) providing services to users in Serbia. The key change relates to the mandatory registration with the NBS and the prohibition of payment transactions with unregistered EMIs.
Previously, foreign EMIs could provide certain payment services to users in Serbia without obtaining an NBS license, with only an obligation to notify the NBS, but without any consequences for non-compliance. The amended law now explicitly states that EMIs not registered with the NBS cannot conduct transactions with Serbian residents. This means that local payment service providers are prohibited from processing transfers between users in Serbia and foreign EMIs unless they are registered. Serbian residents will no longer be able to fund their digital wallets with unregistered foreign EMIs or withdraw fiat currency from e-money issued by such entities.
Cross-border payments remain permitted in accordance with foreign exchange regulations, but the new law explicitly prohibits local payment service providers from processing transactions if the foreign EMI is not registered with the NBS.
The NBS is now authorized to deny registration or remove a foreign EMI from the register if it determines that its activities are linked to money laundering or terrorist financing. Additionally, already registered foreign EMIs must provide an official email address for communication with the NBS.
Measures for Managing Security Risks
To enhance security and reliability in the provision of payment services, the Law introduces a new section addressing the management of operational and security risks (Chapter Va). It is crucial for service providers to manage operational and security risks appropriately, which includes establishing systems with adequate measures and internal controls to mitigate such risks. Service providers must also develop security policies that assess the risks associated with the payment services they offer and outline security controls and mitigation measures.
A key aspect of these requirements is the implementation of effective incident management procedures, including the detection and classification of significant operational and security incidents. Service providers are required to regularly submit updated assessments of operational and security risks to the NBS, along with statistical data on fraudulent activities or abuses related to various payment methods.
Regarding user authentication, service providers must implement strong authentication mechanisms in cases such as accessing payment accounts online, initiating electronic payment transactions, or performing any activity that may pose a fraud or abuse risk. These measures include the use of security elements that protect the confidentiality and integrity of users’ personalized security credentials.
The NBS is in charge of providing detailed technical standards for authentication and communication to ensure compliance with security requirements in payment services. These standards cover requirements for common and secure open communication standards for the identification, authentication, notification, and information exchange between payment service providers, as well as security measures for data exchange.
Access to Bank Accounts – A New Obligation Imposed on Banks?
The newly introduced Article 149a of the Law requires banks to grant payment institutions and electronic money institutions access to services related to the opening and maintenance of payment accounts. This regulatory framework fosters transparency and equality in banking services provided to payment institutions and electronic money institutions. By ensuring access on an objective, non-discriminatory, and proportionate basis, the regulation promotes fair market competition, innovation, and improved services for payment system users. Additionally, the requirement for banks to provide a justification to the NBS in cases where access is denied further enhances accountability and transparency in banking operations. The NBS plays a crucial role in overseeing and establishing clear rules to ensure that this obligation is effectively implemented in the best interests of all market participants.
What Happens When Serbia Joins the European Union?
Under the provisions of the Law, the National Bank of Serbia is tasked with notifying relevant European authorities on various aspects of financial supervision and management in Serbia. This obligation carries significant implications for several reasons:
- International Cooperation and Transparency:
The NBS is required to promptly inform the European Banking Authority (EBA) and the European Central Bank (ECB) about incidents within the financial sector, thereby enhancing international cooperation and transparency. This enables a swift response to incidents that may have cross-border implications or consequences.
- Integration into European Regulations:
This approach aligns national regulations and supervisory practices with European standards and requirements, which is essential for harmonizing legal frameworks and operational practices in the financial sector. It also contributes to maintaining financial system stability on a broader scale.
- Increased Accountability and Efficiency:
The National Bank of Serbia is responsible for ensuring the accuracy of the information provided to European authorities, thereby elevating the level of accountability and efficiency in financial sector oversight and governance in Serbia.
- Protection of Serbia’s Interests:
Cooperation with the EBA and ECB also serves to safeguard Serbia’s interests by ensuring timely reporting and response to developments that may affect the stability of the financial market.
Instead of a Conclusion
The adoption of this Law brings numerous benefits to all payment service users in Serbia. Most notably, these amendments significantly enhance consumer protection, expand the range of available services, and reduce costs. Additionally, the overall payment services market stands to benefit from the establishment of a legal foundation for the development of new, innovative business models and services.
These regulatory changes represent a significant step forward in the modernization and digitalization of the financial sector, enabling users to access more advanced, secure, and cost-efficient payment solutions. Serbia is not only aligning its legislative framework with European standards but is also paving the way for technological advancement and increased competitiveness in the global market, making it an attractive destination for investment. The only question that remains is how these changes will be implemented in practice and what their true impact will be.
