HomePayment ServicesRegulatory Compliance & Ongoing Services

Regulatory Compliance & Ongoing Services

Obtaining a license or registration is only the beginning. Payment institutions, electronic money institutions, and financial institutions are subject to continuous regulatory supervision by the BNB and other supervisory authorities. Our team ensures ongoing compliance with the PSPSA, CIA, Anti-Money Laundering Act, Counter-Terrorism Financing Act, PSD2, and DORA.

Regulatory Reporting to the BNB

Every licensed or registered institution is obliged to file periodic reports with the BNB. Non-compliance with deadlines or the filing of incomplete information may result in enforcement measures.

Quarterly Reports

  • Financial reports — balance sheet, income statement, cash flow statement
  • Transaction volume — by type of service, by country, by currency
  • Own funds calculation — using Method A, B, or C (Annex 2 to the PSPSA) for PIs; 2% of the average outstanding e-money for EMIs
  • Information on client complaints

Annual Reports

  • Annual financial report, certified by a registered auditor
  • Annual activity report — strategy, risk indicators, management changes
  • AML compliance report — summary information on due diligence, suspicious transactions, and staff training

Filing Method

All reports are filed electronically through the BNB’s information system, signed with a qualified electronic signature (QES). Hard copies are not accepted for regular reporting.

AML/CTF Compliance — Anti-Money Laundering Act and Counter-Terrorism Financing Act

The prevention of money laundering and terrorist financing is a central element of regulatory compliance for every financial institution. The obligations arise from the Anti-Money Laundering Act and the Counter-Terrorism Financing Act.

Supervisory Authorities

  • FIU-SANS (Financial Intelligence Unit at SANS) — receives and analyses suspicious transaction reports
  • BNB — supervision of AML compliance by payment and credit institutions
  • FSC (Financial Supervision Commission) — supervision of investment intermediaries and insurers

Customer Due Diligence (CDD)

  • Standard Due Diligence (CDD) — upon establishing a business relationship: client identification, identity verification, determination of the ultimate beneficial owner (UBO)
  • Enhanced Due Diligence (EDD) — mandatory for politically exposed persons (PEPs), clients from high-risk jurisdictions, complex/unusual transactions
  • UBO verification — identification and verification of ultimate beneficiaries holding directly or indirectly 25%+ of the capital
  • Ongoing monitoring — continuous monitoring of transactions and updating of client information

Reporting

  • Suspicious Activity Reports (SAR) — filed through the goAML system of the FIU-SANS upon suspicion of money laundering or terrorist financing
  • Threshold reporting — transactions above certain thresholds (EUR 15,000 for one-off, EUR 5,000 for linked transactions)
  • UBO discrepancy reporting — since July 2024, reporting is mandatory upon identification of a discrepancy between declared and actual UBOs

Internal Organisation

  • Appointment of an AML Officer — person responsible for implementing anti-money laundering measures
  • Internal rules — updated policies and procedures for CDD, monitoring, and reporting
  • Staff training — mandatory annual training for all staff
  • Document retention — minimum 5 years after termination of the business relationship

Penalties for Violations

For serious violations of the Anti-Money Laundering Act, penalties may reach up to BGN 10,000,000 or 10% of annual turnover (whichever is higher). For natural persons — up to BGN 200,000. The BNB may also impose additional enforcement measures, including revocation of the license.

Capital Adequacy and Safeguarding of Funds

The safeguarding of client funds is a fundamental requirement of PSD2 and the PSPSA, aimed at ensuring that consumers’ funds are protected in the event of the institution’s insolvency.

Safeguarding Methods

  • Segregation method: Client funds are deposited in a separate account with a credit institution or invested in secure, low-volatility assets. Funds must be ring-fenced by the end of the business day following the day of receipt.
  • Insurance method: An insurance policy or bank guarantee from an institution not belonging to the same group, covering the full amount of liabilities to clients.

Specific Requirements for EMIs

For electronic money institutions, the ongoing own funds requirement is a minimum of 2% of the average outstanding electronic money, calculated over the preceding 6 months. Ring-fencing of funds is mandatory in all cases.

Own Funds for Payment Institutions

The own funds of a PI are calculated using one of three methods (Method A, B, or C) under Annex 2 to the PSPSA and must be maintained continuously. The BNB may set a minimum level higher than that calculated by the formula if it considers that the risk profile of the institution requires it.

IT Security and Strong Customer Authentication (SCA)

PSD2 introduces a mandatory requirement for Strong Customer Authentication (SCA) when initiating electronic payment transactions and accessing payment accounts online.

SCA Elements (two-factor authentication)

SCA requires the use of at least two of three independent elements:

  • Knowledge — something only the user knows (password, PIN code)
  • Possession — something only the user possesses (mobile phone, hardware token, smart card)
  • Inherence — something inherent to the user (fingerprint, facial recognition, iris)

3D Secure

For online card transactions, the 3D Secure (version 2) protocol is the primary mechanism for implementing SCA. Institutions must support 3DS2 for all accepted cards.

SCA Exemptions

  • Low-value transactions: up to EUR 30 (with a cumulative threshold of EUR 100 or 5 transactions)
  • Trusted beneficiaries: the client may add recipients to a "whitelist"
  • Recurring payments: with the same amount and recipient — SCA only on the first transaction
  • Corporate payments: for specialised payment processes with additional levels of control
  • Transaction Risk Analysis (TRA): for low-risk transaction profiles, depending on the institution's fraud rate

DORA — Digital Operational Resilience Regulation

Regulation (EU) 2022/2554 on the digital operational resilience of the financial sector (DORA) has been effective since 17 January 2025 and applies directly in all Member States, including Bulgaria. DORA affects payment institutions, EMIs, credit institutions, and other financial market participants.

Key Pillars of DORA

  • 1. ICT risk management: Institutions must have an ICT risk management framework covering identification, protection, detection, response, and recovery. The management body bears direct responsibility.
  • 2. ICT incident reporting: Mandatory reporting of significant ICT incidents to the competent authority (BNB) within prescribed deadlines — initial notification, interim report, and final report.
  • 3. Digital resilience testing: Annual testing of ICT systems — penetration testing, scenario testing, business continuity testing. For critical entities — in-depth testing (TLPT) every 3 years.
  • 4. Third-party risk management: Mandatory due diligence of ICT providers, including contractual clauses for audit, security, and termination. Register of all ICT contracts.
  • 5. Information sharing: Voluntary exchange of information on cyber threats among financial entities.

Penalties

For non-compliance with DORA, competent authorities may impose administrative fines of EUR 10,000 to EUR 50,000 per violation, and for critical ICT providers — up to 1% of the average daily global turnover for the preceding financial year, per day of the violation.

Agents and Outsourcing

Representatives of Payment Institutions

  • Payment institutions and EMIs may provide services through agents entered in the BNB register
  • The BNB has the right to restrict or prohibit the use of a specific agent, if it considers that the agent does not meet the requirements
  • For EMIs — agents may only carry out distribution and redemption of electronic money, not issuance
  • The institution bears full responsibility for the actions of its agents

Outsourcing of Functions

  • Outsourcing of operational functions to third parties is permitted, including IT infrastructure, transaction processing, and client support
  • Maintaining a physical office in Bulgaria is mandatory — cannot be fully outsourced
  • When outsourcing ICT functions — mandatory due diligence of the provider under DORA
  • Mandatory termination clauses in contracts — the institution must be able to terminate outsourcing without disruption to operations
  • Outsourcing of critical functions requires prior notification to the BNB

Annual Audit and Consumer Protection

Mandatory Annual Audit

Every licensed payment institution and EMI must subject its annual financial report to a mandatory audit by a registered auditor. The audit report is filed with the BNB together with the annual financial report.

Consumer Protection

  • Free information: The institution must provide consumers free of charge with information on service conditions, fees, and exchange rates before concluding a contract
  • Right of termination: The consumer may terminate a framework agreement with 1 month's notice
  • No-fee termination: For contracts with a duration exceeding 6 months, termination is free of charge
  • Complaints procedure: The institution must respond to a complaint within 15 business days. In exceptional circumstances, the deadline may be extended to 35 business days
  • BNB acts: BNB acts concerning consumer protection are immediately enforceable — subject to enforcement without judicial proceedings

Frequently asked questions

What penalties apply for AML violations?
For serious violations of the Anti-Money Laundering Act, penalties for legal entities may reach up to BGN 10,000,000 or 10% of annual turnover — whichever is higher. For natural persons (including the AML Officer and management members) — up to BGN 200,000. Violations may include: failure to conduct due diligence, failure to file a suspicious activity report, absence of internal rules, or inadequate training. The BNB may also impose additional measures — public censure, temporary prohibition of certain activities, or revocation of the license.
How do we comply with DORA requirements?
DORA compliance requires a systematic approach: (1) Establishing an ICT risk management framework with clear allocation of management body responsibilities; (2) Implementing a procedure for reporting ICT incidents to the BNB; (3) Conducting annual security tests (penetration testing, scenario testing); (4) Reviewing and updating all contracts with ICT providers — including clauses for audit, security, and termination; (5) Creating a register of all ICT contracts; (6) For critical entities — TLPT (Threat-Led Penetration Testing) every 3 years. Our team can conduct a GAP analysis and prepare a roadmap for achieving full compliance.
Can we outsource IT functions?
Yes, outsourcing of IT functions is permitted, but subject to strict conditions. Under DORA, the institution is obliged to conduct thorough due diligence of the ICT provider, include mandatory clauses in the contract (right of audit, security requirements, termination plans), and maintain a register of all ICT contracts. Outsourcing of critical functions requires prior notification to the BNB. The institution remains fully responsible for the actions of its providers and must maintain a physical office in Bulgaria. We recommend an exit strategy that ensures business continuity when changing providers.

Need regulatory support?

Our team of lawyers and regulatory consultants ensures comprehensive ongoing compliance — from AML policies and DORA implementation to periodic reporting and preparation for BNB inspections.

Related services

EMI License

Electronic money institution license

Payment Institution

Payment institution licensing under the PSPSA

Financial Institution

Registration under Art. 3a of the Credit Institutions Act