NBS now allows automatic video onboarding

The National Bank of Serbia ("NBS") has replaced its regulation on digital onboarding and verification of individuals with a new decision published this week[1]. The key change is the introduction of "indirect" video identification allowing NBS-supervised obligors to onboard customers through a fully automated process that does not require a live conversation between a bank employee and the customer at the time of identification. This brings Serbia's KYC framework significantly closer to international best practice and might open the door to meaningful digital customer acquisition.

Background and Context

Until now, all digital identification in Serbia had to performed by a trained employee through a live interview with the prospective customer. This model required uninterrupted real-time communication, physical separation of the employee's workspace, and simultaneous recording of the session. While this framework was progressive for its time, it was not suitable for large-volume onboarding. It also left cross-border onboarding, i.e., acquiring non-resident clients, without an efficient avenue.

A concrete illustration of this constraint is the case of a prospective crypto exchange that aborted its planned market entry in Serbia. Its business model relied on onboarding a large volume of non-resident clients who could not satisfy the three available identification routes under the old framework: physical branch visit, Serbian qualified e-signature, or synchronous video KYC with a live employee. The last option, while technically available, was considered commercially unscalable.

The Decision addresses this constraint directly.

Indirect Video Identification

The Decision introduces a distinction between two modes of video-based identification:

a) Direct Video Identification (neposredna video identifikacija)

This was the only available mode under the old regulation. It requires a live, real-time video call between the customer and a trained employee, with simultaneous recording. The employee conducts document verification, liveness checks, and identity comparison in real time. This model continues to offer the highest level of assurance through direct human oversight.

b) Indirect Video Identification (posredna video identifikacija)

Under this model, the customer engages with the firm's technical solution e.g., a mobile application, completes the identification steps in real time (uploading document images and biometric data within a live session), but does so without any concurrent live interaction with the firm's employee. Employee review takes place before or shortly after onboarding is completed.

Key requirements of the Decision

Technical Requirements

The new Decision imposes detailed technical requirements on the solution used for indirect video identification. These include:

• Encryption: End-to-end encrypted communication channel, using secure protocols and cryptographic algorithms consistent with best practice, preventing interception or tampering;
• Qualified timestamps: High-quality image and sound transmission, with each recorded image or footage timestamped using a qualified electronic time-stamp (QTS);
• Liveness detection: Mandatory liveness detection (provera živosti), confirming that the biometric data comes from a live person physically present at the time of the process. The detection is done either actively (requiring customer action such as head movement or reading a code) or passively (analysing micro-movements, skin texture, light reflection); and
• Biometric matching: Automated biometric comparison between the customer's captured facial image and the photograph in the identity document.

Mandatory pre-assessment of the technical solution

Before launching indirect video identification, obligors must conduct and document a formal assessment of the technical solution covering: adequacy of data collection, AML/CFT/PF risk impact, operational and IT risks, fraud risk (including identity spoofing), and end-to-end process testing. This assessment must be maintained and updated.

Trained employee supervision and review

As mentioned above, the most significant change brought by the Decision is that the employee of the firm does not have to conduct video identification in real time. However, a firm's trained employee will be required to supervise and review the indirect video identification process. As a general rule, this supervision and review will have to be completed before the business relationship has been established or the transaction is executed. However, exceptionally, review may be completed within 72 hours after the process is concluded, i.e., after the business relationship has been established, subject to enhanced interim controls such as transaction monitoring and limits during this window. This 72-hour ex post review window is critical for scalability: it allows an obligor to automate the onboarding flow entirely, with human review conducted in batches, without blocking the customer journey in real time.

Enhanced monitoring

Regardless of risk category, all customers onboarded through indirect video identification are subject to enhanced monitoring for 30 days from the date the business relationship is established, including transaction monitoring and limits on total transaction amounts during that period.

Expanded authentication methods

The Decision expands the methods available for confirming the customer's identity at the conclusion of the process. In addition to OTP (the only method under the old framework), obligors may now use: security codes generated within the obligor's own application (if the customer already uses it), electronic signatures, or other secure authentication methods. For indirect video identification, supplementary measures such as a follow-up telephone or video call, or physical mail to the document address, may also be used.

Exclusions – who cannot be onboarded via video KYC?

The Decision slightly extends the categories of persons that may not be identified through video KYC. These include:

• Persons previously classified as high-risk (AML/CFT/PFWMD) by the obligor;
• Offshore legal entities, or legal entities with offshore entities in their ownership structure;
• Persons from jurisdictions with strategic AML/CFT/PFWMD deficiencies (FATF lists); and
• Additional categories which the obligor itself determines, based on its own risk assessment and internal policies.

Importantly, legal representatives (zakonski zastupnici) acting on behalf of natural persons may only be identified via direct video identification, not via the new indirect mode.

Other requirements of the Decision

The Decision significantly expands governance requirements. Obligors must adopt comprehensive internal policies covering: process description, eligible customer categories, automation scope, employee supervision procedures, data protection, staff training, and recordkeeping. The compliance officer (ovlašćeno lice) is responsible for maintaining these policies, while ultimate responsibility lies with senior management.

Obligors using indirect video identification must conduct at least one annual internal control review of the process, covering a random sample of recorded sessions, to be performed by the AML compliance officer or their deputy. Extraordinary reviews are triggered by changes in risk exposure, system deficiencies, detected fraud patterns, or regulatory changes.

Where a risk materialises or a system error is identified, obligors must review all affected business relationships (prioritising highest-risk first) and take appropriate action, which may include enhanced due diligence, transaction restrictions, contract termination, classification change, or filing a suspicious transaction report with the AML authority (Uprava za sprečavanje pranja novca).

Outsourcing

The Decision provides a more detailed framework for involving third-party technology providers. Where an obligor outsources the video identification process itself (not merely technical maintenance), the third party must itself qualify as an obligor under the AML framework and must appear on the NBS list of obligors. The obligor retains full regulatory responsibility and must actively supervise the third party through regular reporting, on-site checks, and sample testing.

Where the third party merely maintains the technical solution without conducting the identification process, the obligor must ensure the infrastructure is operated in a secure environment, and all records must be maintained electronically in a protected format accessible only to authorised persons.

Detailed data governance requirements apply when a third-party stores customer data.

Transitional period

Obligors already conducting video identification under the old NBS's decision have six months from the entry into force of the Decision to align their operations and internal acts. Technical solutions may be adapted within one year. Pending notification processes initiated before the Decision will be completed under the old rules.

The Decision will enter into force on 16 May 2026.

[1] Odluka o uslovima i načinu utvrđivanja i provere identiteta fizičkog lica korišćenjem sredstava elektronske komunikacije, Official Gazette of the Republic of Serbia no. 43/2026 ("Decision").

————————————————

BDK Advokati advises clients across the banking, financial services, fintech, and digital asset sectors in Serbia and the Western Balkans. Our Banking & Finance and Data Protection practices have extensive experience in AML/KYC regulatory matters and digital financial services. If you would like to discuss the implications of the new video KYC framework for your business, please contact us.

Disclaimer: This material has been prepared for general information purposes only. It is not intended to constitute legal advice and should not be treated as a substitute for specific advice on particular circumstances. Readers should seek legal advice before taking any action in respect of matters described herein.