1. Regulatory recap
There has been a significant banking-related regulatory and legislative activity in Bosnia and Herzegovina in the first half of 2025:
- both sub-sovereign entities, the Federation of Bosnia and Herzegovina (FBiH) and Republika Srpska (RS) have each amended their main banking statutes[1];
- the Banking Agency of the FBIH (FBA) has published its expectations for the banking industry[2] that focuses on risk management, sustainable finance, and cyber resilience, among other matters (“FBA Guidance“);
- FBA and the Banking Agency of Republika Srpska (ABRS) have each issued new rules on the information and communication technology (ICT) risk management[3], including management of risks associated with ICT outsourcing arrangements.
- the ABRS has awarded first two licenses to electronic money institutions.
We discuss the major points of those developments in more detail below.
2. ESG Risks and Sustainable Finance
The FBiH Banking Act now requires banks in FBiH to include the “environmental, social and governance risk” or “ESG risk”[4] in their risk management framework. This essentially means that banks will have to step up efforts to adequately, timely and continuously identify, measure or assess, monitor, manage, mitigate and report ESG risks including by:
- assigning responsibilities for managing ESG risks to board members and/or committees;
- embedding the management of ESG risks in policies, procedures and controls;
- assigning roles and responsibilities for identifying and managing ESG risks throughout the bank’s organizational structure; etc.
ESG, in particular climate and environmental risks, has been a focus for FBA for some time. FBA had already previously instructed banks to assess the role of ESG risks as potential driver of “traditional” financial risks, including credit, operational, and liquidity risks[5]. For example, if the key assets of the borrower (e.g. the production site) or the collateral are located in an area that is particularly vulnerable to environmental hazards, this could increase the credit risk associated with such borrower. With respect to liquidity risk, banks should consider how ESG risks could affect net cash outflows. For example, the liquidity of a borrower that relies heavily on fossil fuels for its production process could be affected because such borrower could lose revenue from EU-based clients due to non-compliance with their ESG procurement standards.
The FBA has announced in the FBA Guidance that it will assess if the banks are progressing with their ESG risk management obligations and stress test banks for impacts of climate change.
On a related note, the FBA Guidance also encourages local banks to increase their sustainable lending activities, particularly for capital intensive projects that would have to involve several banks and international investors.
3. Capital Adequacy Standards
- Large Exposure: The amendments to the FBIH Banking Act stipulate that the large exposure limit is based on a bank’s Tier 1 capital rather than on its regulatory capital. This represents a tightening of the large exposure limit due to the narrower definition of relevant capital. On the other hand, the amendments have increased the limit on an unsecured loan to a single borrower or closely related group of borrowers from 5% of the bank’s regulatory capital to 10% of the bank’s Tier 1 capital.
- Similar to the FBiH Banking Act, the RS Banking Act now also refers to bank’s Tier 1 capital instead of its regulatory capital for the purposes of calculating the large exposure limit.
- Capital Adequacy Ratio: The capital ratio of banks in RS is lowered from 12% to 10%, effective from 31 December 2026.
4. Digitalization
- Use of electronic documents: The new rules provide that if the law requires that a transaction be in written form (e.g., a loan transaction), the written form requirement is deemed satisfied by an “electronic document”. The amendments also authorize ABRS to regulate the manner and conditions under which the banks will be allowed to use electronic video communication systems to on-board customers remotely, i.e., without physical contact. This implementing regulation is due by the end of this year.
- Automated Models: The amended RS Banking Act introduces the possibility for banks to utilize automated models in creditworthiness assessments and credit decision-making. The application of automated decision-making in the credit-granting process will have to be in line with the bank’s credit risk policy. Among other things, the banks will have to identify products, segments and limits for which automated decision-making is allowed. The bank will be required to disclose automated decisions to their customers. Dissatisfied customer will be entitled to have its credit application reviewed by the credit committee.
- Digital Operational Resilience: Banks operating in Bosnia and Herzegovina now face sweeping new regulatory requirements for ICT risk management and operational resilience. In the first half of 2025, both the FBA and the ABRS enacted parallel regulations governing information system management in banks. These frameworks closely mirror the EU Digital Operational Resilience Act (DORA), aiming to align Bosnia’s financial regulatory architecture with EU standards and increase resilience to cyber threats and ICT disruptions.
The new frameworks impose detailed requirements on all licensed banks in both the FBiH and RS concerning:
- ICT governance and internal control systems;
- ICT risk identification and management procedures;
- incident reporting and classification;
- oversight of outsourced ICT services;
- business continuity and disaster recovery planning; and
- regular testing of operational resilience.
The regulations introduce board-level accountability for ICT risk, mandatory documentation standards, and a structured approach to outsourcing and third-party risk. These are key requirements:
a) Integrated ICT Risk Management
ICT risks must be embedded in the bank’s overall risk management framework, with tolerance thresholds and controls approved by the management board.
b) ICT Incident Reporting
Banks are required to log, classify, and report major ICT-related incidents to the regulator using prescribed forms and timeframes.
c) Operational Resilience Testing
Banks must periodically test their systems against potential threats, including cyberattacks and system failures.
d) Board and Management Accountability
Senior management must regularly assess the effectiveness of ICT risk controls and ensure corrective actions are implemented in response to deficiencies or incidents.
e) Third-Party Risk Oversight
All critical or material outsourcing arrangements involving ICT services must be governed by robust contracts, including audit rights, access controls, business continuity assurances, exit strategies and termination rights.
Achieving compliance of the outsourcing arrangements with the mandatory content of local DORA equivalents is one of the biggest challenges that financial institutions in the region face. Bosnian banks should timely reassess all existing outsourcing arrangements and start negotiating addendums addressing the new regulatory requirements.
5. NPLs
The new rules relax the conditions for the sale of non-performing loans (NPLs). Banks are now permitted to sell retail NPLs to local investment funds, in addition to banks and other financial institutions licensed by the ABRS. Furthermore, banks are no longer required to obtain the ABRS’s consent prior to selling NPLs, unless the amount of such loan is “materially significant”. The ABRS has been mandated to enact implementing regulation to further specify certain aspects of the new rules, including the definition of “materially significant amounts” of NPLs.
6. Bank Recovery and Resolution
The ABRS’s supervisory tools for dealing with failing or unsound banks closely follow the EU’s Bank Recovery and Resolution Directive. The newest amendments entitle ABRS to suspend any payment or delivery obligations, as well as the counterparty’s termination rights and rights to enforce security interest pursuant to any contract to which a bank is a party, even before the initiation of the resolution proceedings. The suspension may last from the date indicated in the notice of suspension until midnight at the end of the following business day. The suspension may apply to all of the bank’s liabilities except the claims of payment and settlement systems and taxes and other levies.
7. E-money and Payment Services
The 2025 amendments to the RS Banking Act of RS include electronic money in the scope of activities that can be carried out by banks in RS. This is an alignment with the electronic money regulations that have been enacted last year[6]. ABRS has licensed two electronic money institutions in the meantime, whereas FBIH still has not enacted their own payment services regulations. We expect that both sub-sovereigns will align with the EU regulations in this area by the end of the next year given the ambition to join SEPA in that period.
[1] Zakon o bankama, Official Gazette of the Federation of Bosnia and Herzegovina, nos. 27/2017 and 22/2025; Zakon o bankama, Official Gazette of Republika Srpska, nos. 4/2017, 19/2018, 54/2019, 63/2024 and 45/2025
[2] https://www.fba.ba/upload/docs/1supervizorska_ocekivanja_u_vezi_sa_postupanjem_banaka_u_2025_godini_WCa.pdf
[3] Odluka o upravaljanju informacijsko-komunikacijskim sustavom i IKT rizikom u banci, Official Gazette of the Federation of Bosnia and Herzegovina, no. 16/2025; Odluka o upravljanju informacionim sistemom i rizicima informacione i komunikacione tehnologije u banci.
[4] The ESG risk is defined as a risk of financial loss, additional expenses, loss of revenue, or reputational damage arising from the negative impact of current or prospective ESG factors on the bank’s counterparties or their assets
[5] FBA’s Guidelines on the management of climate and environmental risks (Smjernice za upravljanje rizicima povezanim sa klimatskim promjenama i okolišnim rizicima, Official Gazette of the Federation of Bosnia and Herzegovina, nos. 57/2023)
