Serbia amends payment services regulations to allow open banking services

The Serbian Parliament has approved the amendments to the Payment Services Act (“PSA“) which are meant to mirror PSD2 and introduce open banking driven services to Serbian market. The amendments will begin to apply from 6 May 2025. We here summarize the most relevant changes.

1. Who does these amendments affect?

Firms that will be affected by the amendments to the PSA include:

• foreign e-money issuers (“EMIs“) registered with the National Bank of Serbia (“NBS“), who currently provide limited payment services to Serbian residents in reliance on the exemption under Article 225 of the PSA (see paragraph 2 below for more details);
• firms not currently licensed or registered with the NBS that carry out activities that fall under the exemptions from the requirements of the PSA (see paragraph 3 below for more details);
• firms interested to provide account information services and payment initiation services, which so far have not been regulated by PSA (see paragraph 4 for more details);
• existing locally licensed payment service providers (PSPs), who will have until February 2025 to adjust their bylaws to meet the requirements of the amended PSA; and
• fintech startups looking to test their business model without incurring significant costs (see paragraph 5 for more details).

2. Exemptions from licensing requirements for cross-border transactions:

The PSA still does not require foreign EMIs to get a licence from the NBS if they process cross-border payments of Serbian residents in accordance with the foreign exchange regulations. According to those regulations, a foreign EMI can execute Serbian residents’ cross-border transactions for electronic purchase or sale of the goods and services. The PSA so far required foreign EMIs who used this exemption to notify the NBS, but it did not impose any consequences for failure to do so. However, a few years ago, the NBS published an opinion that Serbian residents are allowed to make and receive cross-border payments via foreign EMIs only if those foreign EMIs were registered with the NBS. The amended PSA now supports this opinion and explicitly prohibits local PSPs to process payment transactions (i.e., transfers between Serbian customers and foreign EMIs) if the EMI is not registered with the NBS. This means that the residents will not be able to fund their foreign e-wallets nor receive fiat currency when they redeem e-money from the non-registered foreign EMI. The new rules require the already-registered EMIs to supplement information provided to the NBS with email address that those EMIs will use for exchange of notices with the NBS. Finally, the amended PSA now provides that the NBS will deregister the EMI (or refuse its registration) if it finds that the activities of this EMI are connected with money laundering or terrorism financing.

3. Exemptions from licensing requirements for local transactions:

The following activities remain outside the scope of the PSA:

• Direct cash payments from the payer to the payee;
• Cheques and paper instruments;
• Cash transportation (e.g. cash deliveries by commercial security companies);
• Payment services associated with securities asset servicing (e.g. dividend payments);
• Technical service providers;
• Independent ATM deployers (except that these service providers will now be obliged to inform the customer on any foreign exchange conversion or cash withdrawal charges).

Some of the existing exemptions will be revised and narrowed down. These most notably include the commercial agent exemption (Article 3(2)), the limited network exemption (Article 3(11)) and the electronic communications exemption (Article 3(12)). We break down these revised exemptions below:

a) Commercial agent exemption (“CAE”):

The amended PSA and its licensing requirements will not apply to “payment transactions executed through a commercial agent authorised to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee“.

The exemption is narrowed down by the new rules. Under the literal wording of the original exemption, the agent could have generally acted as an intermediary on behalf of both individual buyers and sellers. That said, historically, the NBS had been cautious with respect to the CAE. In one instance, the NBS opined that the service provider could not qualify for the exemption because it intended to act as an agent of the payee which would however charge the payors for the service. The amended PSA now explicitly states that CAE will apply when agents act only on behalf of the payer or only on behalf of the payee. Depending on their business model, some firms such as e-commerce platforms that facilitate transactions between buyers and sellers may become subject to the licensing requirements because of this change.

b) Limited network exemption (“LNE”):

The amended PSA and its licensing requirements will not apply to “services based on specific payment instruments that can be used only in a limited way, if they meet one of the following conditions:

• instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;
• instruments which can be used only to acquire a very limited range of goods or services;
• instruments provided at the request of an undertaking or a public sector entity and regulated by a national or other public authority for meeting specific objectives of social or tax policies, provided that such instruments can be used only in Serbia and only to acquire specific goods or services from suppliers having a commercial agreement with the issuer.

The LNE is now subject to one principle requirement that the payment instrument can only be used “in a limited way” ([instrument] (…) se može koristiti samo ograničeno) and the three alternative conditions. Theoretically, this could mean that the instrument could meet one of the conditions set out in limbs (i) to (iii), but the NBS may still take a view that it is not sufficiently limited and therefore disqualify it from the exemption.

The NBS has already interpreted the original LNE narrowly and the new wording now gives less room for application. The alternative condition referred to in limb (b) now requires, among other things, that the instrument is used to acquire a “very” limited range of goods and services, whereas the PSA has so far used the phrase “limited” range.

The NBS has not published any guidance on the new rules yet, but based on the way how the PSD2 is generally applied by EU regulators, we would expect that the instruments benefiting from the exemption would include: store cards – where these are used only at the issuer’s premises; transport cards – where these are used only for purchasing tickets from service providers within a closed transport system, e.g. a city; fuel cards – where these are used only at stations of a specific fuel seller; etc.

Finally, the firms relying on the LNE will now be required to notify the NBS if the value of payment transactions executed by them was more than €1 million in RSD counter-value in the previous 12 months. The notification should include the description of their activities and reasons why the firm thinks it qualifies for the exemption. The NBS will then consider the notification and determine whether the service falls within the exemption. The NBS’s determination will be final; if the firm disagrees with the assessment, there is no possibility to refer the matter to another body or authority.

c) Electronic communications exemption (“electronic communication exemption” or “ECE“):

The amended PSA and its licensing requirements will not apply to: “payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a user of the network or service, subject to the following conditions:

(i) These transactions are purchases of digital content and voice-based services, regardless of the device used for the purchase or consumption of the digital content; or these transactions are donations to registered charities or purchases of tickets, performed via an electronic device, and in all those cases the additional service is charged to the user’s bill for the electronic communication services; and

(ii) the value of any single payment transaction referred to in point (i) does not exceed RSD 6,000 (around EUR 50) and the cumulative value of the payment transactions referred to in point (i) for an individual user does not exceed RSD 36,000 (around EUR 300) per month, irrespective of whether the user pre-funds its account with the provider of the electronic communications network or service, or settles these payments subsequently or in another way”

The provisions of this exemption have perhaps changed most significantly from the original text of the PSA. For one, it now applies only to providers of electronic communications network or services (rather than telecommunication, digital or IT operators). The typical example would be a mobile operator who enables users to purchase digital services such as apps and charges that service to a mobile phone bill. There is also now a value limit for transactions that are within ECE. An electronic communications network or services provider providing services falling within the ECE must notify the NBS and provide it with an annual audit opinion that the transactions to which the services relate comply with the limits.

4. New payment services:

The amended PSA introduces new regulated services: account information services (“AIS“) and payment initiation services (“PIS“).

AIS is an online service to provide consolidated information on one or more payment accounts held by the payment service user (“PSU“) with one or more payment service providers. AIS come in a variety of business models ranging from simply showing the information from various payment accounts in one place to sharing this information upon the PSU’s instructions with another party (e.g., a lender or investment adviser) who then use it to provide custom-tailored services to the PSU. Whether the service provider will require a license as an AIS will depend on whether it has access to the payment account, whether the information regarding the payment account(s) has been consolidated in any way, the nature of the information obtained from the payment account, and other factors.

PIS is defined as a service to initiate a payment order at the request of the PSU with respect to a payment account held at another payment service provider. This includes businesses that enable PSU to purchase goods and services online without using a payment card or another payment method.

PIS providers will have to be authorized by the NBS under the same conditions as payment institutions. These conditions are virtually the same as under the original PSA, save for enhanced levels of payment security. Among other things, the applicant must submit a significant amount of documentation to the NBS, including a programme of operations, business plan, projections of the capital requirements in the first financial year, etc., and meet capital requirements (€50k in RSD counter-value). The AIS providers will only have to be registered with the NBS, which is a considerably simpler process than authorisation, although it also involves a number of conditions and requirements, including obtaining professional indemnity insurance (this requirement applies to PIS providers as well).

Banks are generally required to ensure AISP and PIS provider access to the PSU’s payment accounts. The rules for granting that access are contained in Articles 46a (for AISP) and 46b of the amended PSA (for PIS). If these rules are complied with, the bank may only deny an AIP or PIS provider access to the payment account if there are reasonably justified and duly evidenced reasons. These reasons must relate to an unauthorized of fraudulent access to the payment account or to an unauthorized of fraudulent initiation of a payment transaction by these service providers. If the bank denies access to the payment account, it must immediately notify the NBS and explain reasons for the denial of that access.

5. Regulatory sandbox:

Regulatory sandboxes are intended to allow companies, especially startups, to test innovative products, services and business models in the real market without incurring the regulatory burdens and costs that would otherwise apply to such products, services and business models. In general, innovators in the Serbian payment services markets could have used the LNE under the original PSA to test their products in the limited network without triggering the licensing requirements. The amended PSA lays ground for a more specific regulatory sandbox concept. Namely, the NBS will be able to disapply specific or all provisions of the law to a provider of service for a certain period and for the sole purpose of testing that service, provided that such service is “innovative” and considerably improves the quality of payment services in the market. The NBS will further develop the conditions for the regulatory sandbox in the implementing regulations.