sk sk

Business requirements PI & AISP

PaPayment institutions and AISPs are subject to the supervision of NBS. Apart from obligations, which result to all business companies according to business law, tax, accounting and other rules, they have to meet regulatory requirements according to the Payment Services Act, for example:

  • comply with the minimum requirements for own resources,
  • protect funds received from payment service users,
  • comply with the rules on protection against money laundering and terrorist financing,
  • comply with the rules of consumer protection.

Different reporting obligations apply to payment institutions regarding NBS. Payment services providers, which provide payment initiation or account information shall dispose of liability insurance.

Members of the institutional bodies of payment institutions and senior employees must be unimpeachable and professionally eligible. Competence means that persons concerned have practical and theoretical knowledge about the business. Payment institutions shall elaborate and maintain procedures for ensuring compliance with the rules of prudential business including operational and IT risks. They can entrust the performance of some of their activities only under conditions established by the law.

Payment institutions shall pay an annual contribution for the supervision of NBS. They are subject to mandatory external audits. As payment services providers they must report serious operational and security incidents such as fraud data in relation to payments. Details about some of the obligations are stated below and in respective legislation. Your questions concerning annual contributions can be sent to the email address prispevky@nbs.sk.

Own funds

Own funds of the payment institution shall not decrease under the level of the paid-up share capital (for example under 20 000 eur/50 000 eur/125 000 eur).

The request for own funds is calculated according to method A, according to permanent cutting costs of payment institutions for the period of the previous 12 months. This means that the payment institution is obliged to dispose of its own funds in the amount of capital of at least 10% of its fixed operational costs for the period of the previous year. Payment institution is obliged to calculate and permanently follow the value of their own sources of financing.

Requests for protection of funds received from payment services users

A payment institution which receives funds from users of payment services is obliged to protect them according to one of the following manners:

  • if funds were not transferred to the receiver until the end of the working day, the payment institution shall deposit these funds into a separate account or invest them into safe liquid and low-risk assets
  • if the payment institution does not follow the possibility mentioned above it is obliged to dispose of a concluded insurance contract or other comparable warranty

The payment institution providing payment initiation service is obliged to dispose of the contract of liability insurance with the aim to cover liabilities related to this payment service. The insurance contract shall be concluded with requests according to EBA Guidelines with the amount of insurance sum, that is possible to calculate here.

The payment services provider providing account information service (AISP) is obliged to dispose of the contract of liability insurance or other comparable warranty of responsibility against the provider of payment services, which holds the payment account or against the payment services user, which does not result from non-authorised or fraudulent access or use of information on the payment account.

The domain of protection against the legalisation of income from criminal activity  and against terrorist financing (AML/CFT)

The rights and obligations of legal persons and natural persons (obliged entities) in preventing and detecting money laundering and terrorist financing are contained in Act No 297/2008 on anti-money laundering (Act on AML).

Payment services providers and agents of payment services are obliged entities according to the Act on AML.

Payment service providers are obliged to elaborate and regularly revaluate programs of their own activity. The own activity is a basic framework for the domain of AML/CFT, which contains practical assurance of compliance with the law, which results from the Act on AML.

Payment services provider within the framework of activities according to this Act is obliged to identify, assess, evaluate and update risks of legalization and terrorist financing according to types of activities and business relationships, after the consideration of their own risk factors and risk factors stated in the annex No 2 of this Act. Risk factors are that the payment services provider is obliged to set namely according to the type of client, the aim, the regularity and the duration of the business relationship or occasional business apart from the business relationship, type of product, value and manner of providing business and riskiness of country or geographical area, to which business relationships or businesses are linked. It is about applying a risk-oriented approach in relation to clients and the activities it provides.

Further information on AML/CFT area

  1. National assessment of risks of legalization from criminal activities and terrorism financing (“NHR”)
  2. International sanctions – Ministry of foreign affairs of the Slovak republic
  3. Moneyval – Committee of experts for evaluation of the area of protection against the legalization of incomes from criminal activities and terrorism financing
  4. Financial intelligence unit of the Police force – methodological guidelines and opinions on the area of AML/CFT
  5. European Banking Authority EBA – Guidelines and delegated regulation

Annual assessment made by NBS

NBS, within the remote supervision in the sector of payment services, carries out an annual assessment of fulfilment of selected requests of legal rules by supervised subjects (hereinafter referred to as “annual assessment of remote supervision”). Deficiencies found are individually resolved with supervised entities and together with generalized results and recommendations for improvement of activity are sent to supervised entities in the form of a so-called list of supervised entities (“dear CEO letter”). NBS published this letter also on its website. Letters for respective periods can be found below:


Accessing of payment accounts for third parties

Directive PSD2 in 2018 imposed an obligation on payment services providers, which hold payment accounts, obligation to open those payment accounts to third parties via dedicated interfaces (API – Application Programming Interface, preferred solution from the security point of view) or direct access (Graphic User Interface).

The directive did not create a single API standard, which causes differences in the quality of APIs between providers. The European Banking Authority (EBA) fulfils insufficient legal ground in the domain of API on a continuous basis by interpretation of the specifics in opinions and Q&A. In addition, NBS in 2021 and 2022 published to this domain also two opinions which specifically are related to our market. After that, NBS asked banks by providing concrete examples for such an API, which is for a user of payment services equally comfortable as the use of internet banking, or mobile application of the bank.

The procedure of NBS for ensuring the quality of API is summarized in the following report


Qualified TPP issue

Neither NBS nor other national competent authorities in the domain of supervision have access to the production environment of API and insufficiencies can be identified only based on forms sent to providers, or suggestions sent by a third party. The third-party, which has an issue with the API of the provider, can submit to NBS a qualified issue if

  • it did not manage to resolve insufficiency through bilateral communication with the bank and
  • for removal of obstacles there is a legal ground in the European legislation or the EBA interpretation stated above.

Want to check if you understand PSD2 and the API correctly?

  • we offer an interactive quiz