In 2014, Serbia took a big step forward in aligning its payment services regulation with EU rules. The Payment Services Act (Zakon o platnim uslugama), a local equivalent of the first Payment Services Directive (“PSD1“), was adopted, opening the doors of the sector to non-banking service providers. The acquired the focus was then shifted to early 2016, when the revised Payment Services Directive (“PSD2“) entered into force, which had a considerable impact on the EU payment market. As there is already talk of a third payment services directive under consideration[1]the time has come to examine the legislative steps that Serbia has undertaken to follow.

PSD2

PSD2 laid the foundations for an “open bank”. At the heart of this concept are ownership and access to data. Data relating to the customer’s income and expenses, spending habits, repayment history, etc., had been collected, processed and held exclusively by the banks. The main message under PSD2 is that customers own this data and can choose to share it with third parties, in which case the bank must allow access to the data to third parties who are licensed for payment initiation services (“PISP“) or account information services (“PSIA“).

The PISP essentially functions as a link between the payer and their bank and merchant. It allows payers to initiate transactions from their bank accounts in a simplified and secure way. Suppose you buy an e-book from an online store. The platform has available payment options including “pay by bank account”. If you select this option, you will be asked to choose your bank from a list. You then authenticate yourself using a PIN code and/or facial recognition. PISP communicates with your selected bank and receives, among other data, a confirmation of the sufficiency of funds in your account for the execution of the payment transaction. The PISP can also facilitate peer-to-peer money transfers. Some popular apps allow sending payment requests through a messaging service such as SMS, Viber, WhatsApp, etc.

AISP collects and aggregates financial data from multiple user bank accounts. This data can then be used for various purposes. At a minimum, you can get a good overview of your financial situation and an analysis of your spending habits and expenses. For example, you can see that you spent RSD 5,000 on takeaway coffee that month. Many additional services can be integrated with AIS. Some apps provide investment advice based on your financial data (for example, they can advise you to buy a coffee machine). AIS products can also be used for banking product comparison by allowing the user to check which bank charges the highest fees and which offers the lowest credit interest rates. Other AISPs are creating tools that allow customers to share their financial data with potential lenders, thereby shortening loan application time and improving affordability assessment. There are even apps that calculate the carbon footprint of your daily purchases. The commercial applicability of open banking data is truly endless. Certainly, an AISP or integrated service provider should always check to see if their model has additional licensing requirements depending on what they are doing with the data (e.g. a buy bond recommendation would typically equate to investment advice, service under securities regulations).

SCA

Another objective of PSD2 is the security of cashless payments. Among other measures, payment service providers are required to implement strong customer authentication (“SCA“) standards developed by the European Banking Authority. SCA is a set of rules to verify that the person requesting online access to an account or attempting to make a payment online is authorized to do so. Two or more of the following should be used for verification: something the customer knows (for example, a password), something the customer owns (for example, a cell phone), and something the customer is (for example, a fingerprint). Conversely, the verification method that most users are used to, i.e. entering the payment card number and CVV, does not meet the new requirements. Although the rules are designed to protect users, how payment service providers follow them in practice could affect the convenience of their payment solutions. Therefore, offering a PSD2 and SCA compliant security mechanism, which is both simple and user-friendly, could be one of the competitive advantages in the market.

Serbia

There is no public information that lawmakers have started work on preparing regulatory changes to transpose PSD2 into Serbian law. As an exception, the requirements of the SCA have been implemented by the National Bank of Serbia in the decision on minimum standards for management of the information system of the financial institution (“DecisionThe decision requires local payment service providers to apply SCA when providing electronic services, including payment initiation and account access. Exceptions to SCA requirements are limited and include low-value payments, payments to trusted, “white-listed” payees, and transactions and services assessed as low risk Under PSD2, compliance with SCA and the application of exceptions are key factors in determining who is liable in the event of fraud, and it will be interesting to see how local rules evolve in this area.

A more general question is what degree of competition the current Serbian regulatory framework allows in the financial services sector. PSD2 promotes fair competition between payment service providers, which includes not only banks and other traditional participants, but also so-called FinTech companies. The latter are most often seen as drivers of innovation in the provision of financial services. However, the Serbian regulator’s approach to FinTech regulation is mixed. On the one hand, experimentation is supported by providing a rudimentary “sandbox” for innovators to test their products in a controlled setting. The main problem on the other hand is that the authorization regimes that apply to some financial services are too broad and rigid and therefore impose high barriers to entry for new entrants. For example, FinTech lending companies generally do not take deposits and therefore do not create money through loans and their investors have no recourse to government guarantees. Nevertheless, unlike in the EU, such companies would still generally be subject to banking licensing requirements under Serbian law, as only banks can extend credit as a commercial activity.[2]. This means that even FinTech lenders that do not take deposits would have to comply with the prudential requirements applicable to traditional banks (e.g. capital, liquidity and leverage ratio). Until these and other regulatory constraints are resolved, Serbia will lack FinTech players to compete initially. If this is to change, regulators should take advantage of the interim period before the implementation of PSD2 and open banking to review their approach to regulating financial innovation.