The Bulgarian banking sector is governed by national legislation harmonised with EU standards. The Bulgarian National Bank (BNB) serves as the supervisory authority for banks in Bulgaria and works in close co-operation with the European Central Bank (ECB) to ensure the soundness and stability of the banking system. The principal laws and regulations governing Bulgaria’s banking sector include the following.

• Bulgarian National Bank Act (BNBA): This Act establishes the authority of the BNB, which functions as Bulgaria’s central bank. It covers areas such as monetary policy, payment system regulation, the supervision of credit institutions, and the functions and responsibilities of the BNB as the central bank of Bulgaria, a new eurozone member state.
• Credit Institutions Act (CIA): This Act serves as the core legal framework for the operation of credit institutions in Bulgaria. It defines the procedures for licensing, as well as the requirements for acquiring or increasing control over a bank, corporate governance, capital adequacy, liquidity and risk management. It is transposed into national legislation: Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (the “Capital Requirements Directive”; CRD), and several other EU Directives related to banking.
• Payment Services and Payment Systems Act: This legislative Act defines the framework and institutions that enable electronic and cash-based fund transfers within the country, regulated primarily by the BNB. These include banks, payment institutions and fintech companies that operate platforms for credit transfers, direct debits, card payments and instant payments, ensuring secure and efficient financial transactions across Bulgaria and the EU.
• Introduction of the Euro in the Republic of Bulgaria Act: As Bulgaria is joining the eurozone on 1 January 2026, this Act regulates various aspects of the introduction of the euro as the lawful currency of the country, including aspects that are relevant for the functioning of banks in Bulgaria.
• Recovery and Resolution of Credit Institutions and Investment Firms Act (RRCIIFA) – This Act transposes into national legislation – ie, Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms (the “Bank Recovery and Resolution Directive”; BRRD), and regulates the recovery and resolution of banks and investment firms.
• Insolvency of Banks Act (IBA): This Act is designed to address the specifics of a bank insolvency and to protect creditors’ and depositors’ interests in such situations.
• Measures Against Money Laundering Act (MAMLA) and Measures Against the Financing of Terrorism and of the Proliferation of Weapons of Mass Destruction Act: These Acts establish obligations for credit institutions and other designated entities in relation to the prevention of money laundering and financing of terrorism.
• European Union Regulations: As an EU member, Bulgaria complies with European banking rules such as the CRD and the Capital Requirements Regulation (CRR), which establish uniform standards for capital adequacy and liquidity across EU banks.
• Secondary legislation: The BNB has published a range of subordinate legislative acts (mostly Ordinances) to implement, clarify or provide details on how national laws should be applied in practice.

The CIA, in alignment with the CRR, defines a bank (credit institution) as a legal entity the core business activity of which is to receive deposits from the public and grant financing for its own account – at its own risk. Such activity requires a licence.

Bulgarian National Bank and European Central Bank

The licensing procedure starts with an application by the bank applicant being submitted to the BNB, accompanied by various documents including, but not limited to:

• the foundational documents of the bank applicant;
• documents pertaining to the subscribed shares in the capital of the bank applicant;
• a detailed business plan covering at least three years;
• an overview of the management and organisational structure of the bank applicant;
• an overview of the internal audit systems;
• information about the management and supervisory boards (or the board of directors, in case of a one-tier structure); and
• information about the shareholders holding, directly or indirectly, 3% or more of the bank applicant’s share capital.

The ECB, in co-operation with the BNB, approves the issuance of a bank licence within three months as of the filing of the application. If the application and the accompanying documents are incomplete, the three-month term lapses once all documents and information for the application have been provided. In practice, the procedure may take from six to nine months. Communication with the regulators is carried out in the form of official correspondence through the BNB. The fee for processing and reviewing the application for a bank licence is BGN100,000 (approximately EUR51,129).

Restrictions on Licensed Banks’ Activities: Ancillary Activities of Banks

Banks (whether local or licensed in another EU state and passported in Bulgaria) may only perform the services covered by their licence. Banks licensed in other EU members states may begin their activity in Bulgaria only after the BNB has been notified by the competent authority that issued the licence. Banks incorporated in countries outside the EU may carry out banking activities in Bulgaria only after establishing a branch and obtaining a licence for such activities from the BNB.

Apart from deposit taking and lending activities, banks can perform ancillary activities, provided that their licence explicitly lists the performance of such ancillary activities. Ancillary services include, among others, payment services, safekeeping of valuables, depository services, issuing of guarantees and letters of credit, financial leasing, investment services, factoring, e-money issuance, issuance of tokens and crypto-assets, etc.

The list of ancillary services that banks may provide, subject to being covered by their licence, is aligned with those listed in Annex I of the CRD. No additional approvals by other regulatory bodies are required once an ancillary service is included under the bank’s licence.

Passporting

A bank holding a valid bank licence issued by a regulator in another EU member state may exercise the activities included under its licence in Bulgaria directly, based on the freedom to provide services, through a tied agent or through a branch. For this purpose, the bank should notify the relevant regulator in its host state. Prior to commencing activities in Bulgaria, the relevant EU member state’s regulator that issued the bank’s licence shall notify the BNB.

A bank licensed in Bulgaria may carry out the activities included under its licence in another member state through establishing a branch, through a tied agent or directly. The Bulgarian bank should notify the BNB of its intention to operate in another member state. Upon the positive outcome of such notification, the BNB shall send all relevant information to the competent regulator in the accepting member state.

Applicable Thresholds

The acquisition of shares in the capital of Bulgarian banks is subject to prior approval by the BNB and the ECB. There are several relevant thresholds in this respect, including:

• the (direct or indirect) acquisition of 10% or more of the shareholding in a bank by one person or persons acting in concert; and
• a shareholder’s (or shareholders acting in concert) participation exceeding 20%, 33% or 50% as a result of a direct or indirect acquisition.

These thresholds also apply in cases of capital increases or the conversion of bonds into shares. In addition, if any of these thresholds are reached as a result of objective circumstances and not due to the actions of the acquirers, such acquisition is still subject to the BNB’s approval. Until such approval is granted, the acquirers will not be able to exercise the shareholder rights connected with the newly acquired shares.

Further, if a person acquires 3% or more (but less than the foregoing thresholds) in the capital of a Bulgarian bank, the Bulgarian Central Depository, which serves as a depositary for the book-entry shares of all Bulgarian credit institutions, has to notify the BNB of such acquisition.

Regulatory Filings

The regulatory filing for approval of an acquisition of shares contains detailed information not only concerning the acquirer (who can acquire shares in the bank directly or indirectly) but also the entities in its ownership structure up to its beneficial owner, as well as various documents and information pertaining to the financial condition of the applicant, the qualifications and professional experience of the applicant’s managing bodies, related parties, the results of similar procedures in other countries, credit rating documents (if any), the acquirer’s plan for strategic development of the bank, forecasted financial statements, etc.

When issuing its approval, the BNB considers the financial stability of the applicant and the potential influence it will exercise over the bank in view of assuring stable and sensible management of the bank.

Additional Filing Requirements

A shareholder of a bank disposing of its shareholding (in a percentage that meets the relevant threshold) should notify the BNB of such disposal. Further, the bank itself shall notify the BNB of any transfer of its shares that results in the relevant thresholds being exceeded or fallen below. Banks shall also make quarterly submissions to the BNB containing information on the shareholders of the bank holding 10% or more of the bank’s shares.

Relevant Statutory and Regulatory Requirements

Banks in Bulgaria are subject to strict governance and control requirements. The management board (or in the case of a one-tier management system, the board of directors) of the bank is the main corporate body responsible for the adoption and updating of the bank’s corporate governance rules and procedures. The set of rules and procedures shall adhere to internationally recognised good practices in the field and include, among others:

• the management and organisational structure of the bank, with clear, transparent and consistent responsibility levels;
• the rights and responsibilities of the bank’s administrators and the allocation of functions across the management and supervisory bodies of the bank;
• the bank’s business plan and business strategy;
• the risk management framework, including oversight, control, and mitigation policies and strategies;
• operational control management;
• the internal control framework, which applies to the risk management unit, compliance unit and internal audit unit;
• the policy for selection of management board and supervisory board members;
• the policy on prevention of conflict of interests;
• the policy on outsourcing of activities; and
• the policies on AML/FT prevention.

The policies should be adequate according to the bank’s size, the nature and complexity of its activity, and the risks related thereto. The BNB has opted to apply the guidelines of the European Banking Authority (EBA) on internal governance under the CRD (EBA/GL/2021/05). Banks in Bulgaria should comply with these guidelines, together with the requirements under Bulgarian legislation and directly applicable EU regulations.

Diversity Requirements

National law does not contain explicit requirements on aligning board members’ appointments with gender targets. However, banks in Bulgaria are obliged to address diversity criteria in their policies on the selection and assessment of the suitability of the management and supervisory boards. This approach is in line with EU legislation and the ECB’s efforts to promote diversity. The ECB’s fit-and-proper questionnaires, which require information on the compliance of the proposed appointees with the bank’s potential diversity policies, have been included by the BNB by way of reference in the set of required documents for the national fit-and-proper assessment of bank board members.

Bank Secrecy and Ethical Codes

Bank employees, members of the management and supervisory boards, as well as liquidators and special administrators of banks (in the cases of winding up of a bank or bank insolvency) and any other person engaged by the bank, are subject to bank secrecy rules, meaning that they are prohibited from disclosing or taking avail (either personally or to the benefit of family members) of information regarding the available balance and transaction of clients of the bank. The prohibition continues to apply even after the termination of the relationship between the bank and the person in question.

Each bank’s policies on the organisation and management thereof shall also include a code of ethics to be adhered to by the bank’s employees and administrators.

The senior management of banks in Bulgaria, including board members and certain key employees, is subject to certain regulatory requirements. Members of a bank’s management and supervisory boards (the board of directors in a one-tier management system) are required to have a minimum level of qualification (at least a master’s degree) and professional experience (a certain number of years in similar positions) that is appropriate for the activities performed by the bank and the risks it is exposed to. Prior to being appointed, board members need to obtain an approval from the BNB. The fit-and-proper assessment by the regulator ensures compliance with the minimum regulatory requirements but also the suitability of the proposed candidate. This assessment is carried out both on an individual basis (specifically in respect of the applicant) and collectively (with respect to the management body as a whole).

Applicants for managerial positions should also meet, among other things, the following requirements:

• they have not been convicted of a premeditated crime (unless exonerated);
• they have not held positions in a management or supervisory body or have been a general partner in entities that have been dissolved due to insolvency where creditors have been left unsatisfied;
• they have not been members of a management or supervisory body of a bank within two years prior to the date on which such bank was declared insolvent; and
• they have not been deprived of the possibility to hold a position as an accountable person. 

Along with the application for approval, candidates are required to provide certain documents, including CVs, copies of relevant diplomas, clear criminal record certificates, and detailed questionnaires on their professional experience and qualification.

When assessing the suitability of management board members and supervisory board members, the BNB also focuses on the proposed member’s good reputation and reliability, whether the member in question can invest sufficient time managing or supervising the bank’s activities, and how the member fits with and supplements the collective body’s competencies.

The BNB should approve (or reject) the candidate within 60 days as of the filing of the application. If the application and the accompanying documents are not complete, the 60-day term starts lapsing once all the documents and information for the application have been provided. In practice, the procedure may take around three months. For significant banks, the fit-and-proper assessment is carried out by the BNB in co-operation with the ECB,

Key position holders – such as the chief financial officer (CFO), branch managers, the internal audit unit directors, the compliance unit directors, the risk management unit directors, etc – are also subject to assessment by the BNB, which is performed post-appointment.

Individuals Subject to the Remuneration Requirements

Banks should adopt remuneration policies covering all forms of pay and incentives, including retirement benefits, for several categories of individuals. These include members of the management and supervisory boards, senior management and staff responsible for risk management, compliance, internal audits or material business units. The policies should also apply to employees receiving significant remuneration – defined as at least the BGN equivalent of EUR500,000 and not less than that of management – whose roles materially affect the bank’s risk profile.

Remuneration Principles

The remuneration policy must define criteria for both fixed and variable components of the remuneration. Fixed pay should be based on the employee’s experience and responsibilities, while variable pay must be linked to sustainable, risk-adjusted performance. Fixed pay must represent a sufficiently large portion of total remuneration to allow flexibility, including the possibility of not paying the variable component.

Variable pay must adhere to several key requirements. It cannot exceed fixed pay and must not compromise the bank’s capital adequacy. Guaranteed variable pay is prohibited except for new employees during their first year of employment, provided the bank’s capital base remains stable. Additionally, variable pay should depend on multi-year performance appraisals of the individual, the business unit and the bank as a whole, using both financial and non-financial criteria. In cases of negative results, variable pay may be reduced or reclaimed (“claw-back”) if an employee causes significant loss or breaches fitness and propriety standards.

Furthermore, at least 50% of variable remuneration must consist of shares or equivalent non-monetary instruments, with retention periods that align incentives with the bank’s long-term interests. For members of the management and supervisory boards as well as employees with equivalent remuneration, at least 60% of variable pay must be deferred.

Regulators’ Supervisory Approach

The competent regulator does not review or pre-approve the remuneration of the management but may carry out ad hoc or planned audits and inspections to ensure compliance of the remuneration policy and the actual remuneration structures in the bank with the regulatory requirements.

Regulatory Framework

The anti-money laundering and counter-terrorist (AML/CTF) framework in Bulgaria is built upon both national laws, EU directives and the guidelines of relevant bodies, providing a comprehensive regulatory environment for combatting financial crime. Key legislation includes MAMLA and the Measures Against the Financing of Terrorism and of Proliferation of Weapons of Mass Destruction Act (MAFTPWMDA), each addressing different but complementary aspects of financial crime prevention.

MAMLA is the primary legislative instrument, transposing the 4th and 5th EU AML Directives into Bulgarian law. It mandates credit institutions to identify and verify the identities of their customers, including determining the ultimate beneficial owners (UBOs) of corporate clients. In line with evolving international standards, MAMLA is being updated to align with the EU’s 6th Anti-Money Laundering Directive. This updated Directive expands the scope of money laundering offences to include new predicate crimes and strengthens co-operation between financial intelligence units across borders.

The MAFTPWMDA complements MAMLA by focusing specifically on the prevention of terrorism financing. It restricts Bulgarian banks from offering services to individuals or entities connected to terrorism, in compliance with sanctions established by the United Nations Security Council and the Bulgarian Council of Ministers. By adhering to the aforementioned regulations, Bulgarian banks are playing an instrumental role in mitigating the risks associated with financial crimes and ensuring compliance with international standards.

Regulatory Authorities

Several authorities play a critical role in overseeing the AML/CTF landscape in Bulgaria. The State Agency for National Security (SANS) is the principal body responsible for monitoring and ensuring compliance with AML/CTF regulations. This includes collecting, analysing and sharing financial intelligence with relevant agencies.

The BNB supervises the banking sector’s adherence to AML/CTF obligations, ensuring that domestic and branches of foreign banks operating in Bulgaria follow both national and EU rules. The BNB also holds the power to impose sanctions and penal decrees on banks that violate AML legislation.

As the ECB does not directly regulate national AML matters, the BNB is preparing to work with the European Anti-Money Laundering Authority (AMLA), which is expected to oversee AML supervision across the EU.

Customer Due Diligence Requirements

Customer due diligence (CDD) is an essential aspect of Bulgaria’s AML framework, designed to detect and prevent financial crime. Banks must carry out CDD at the start of any business relationship and for transactions that meet certain risk criteria. Standard CDD requires banks to collect basic customer information such as name, address, date of birth and the nature of any business activity. This information helps the bank assess the customer’s risk profile and understand their transaction behaviour.

In cases where a customer presents a low risk, simplified CDD procedures may be applied. This allows for less stringent checks, but only in circumstances where MAMLA explicitly permits it. For higher-risk clients, such as politically exposed persons (PEPs) or clients from high-risk jurisdictions, enhanced due diligence (EDD) must be applied. MAMLA specifies that EDD is necessary when transactions involve higher risks, such as those associated with anonymity, large sums of money or complex structures.

For corporate clients, banks are required to verify the UBOs to ensure transparency in ownership structures. This verification typically involves checking public registers and corporate documents, and where information is insufficient, further documentation is requested from the company.

Reporting Obligations

Banks in Bulgaria are subject to stringent reporting obligations aimed at identifying and preventing money laundering and terrorist financing.

Suspicious activity reporting is mandatory for banks, which must report any suspicious transactions to SANS through the goAML system. This platform allows banks to electronically submit reports on suspected illicit activities, including money laundering and terrorism financing.

In addition to suspicious activity reports, threshold reporting is required for certain larger cash transactions, as they may be indicative of money laundering.

Since July 2024, banks must report discrepancies in UBO information to the Registry Agency if the information held by the bank does not match the data in public registers. The entity must resolve these discrepancies within a set period, ensuring that UBO information is accurate. Failure to meet reporting requirements can result in severe penalties, including fines, operational restrictions or criminal charges for significant breaches of AML/CTF legislation.

Risk-Based Approach to AML/CTF

In line with international best practices, Bulgarian banks are required to adopt a risk-based approach to their AML/CTF efforts. This ensures that due diligence measures are tailored to the level of risk posed by each customer or transaction.

Risk assessments must be conducted for each customer and consider factors such as the customer’s profile and geographical location, and the nature of their business. Banks must apply a higher level of scrutiny to customers who pose a greater risk of being involved in money laundering or terrorism financing. For high-risk clients, such as PEPs or customers from high-risk jurisdictions, banks must implement EDD measures. Additionally, banks must monitor large, complex or unusual transactions that might indicate illegal activities.

To mitigate money laundering and terrorism financing risks, Bulgarian banks must use advanced transaction monitoring systems, provide ongoing employee training and conduct regular audits to detect suspicious activities promptly.

AML/CTF Compliance Programmes and Internal Controls

To ensure compliance with AML/CTF regulations, Bulgarian banks are required to establish comprehensive internal compliance programmes. Banks must develop and maintain internal policies that define CDD procedures, how suspicious activity reports are handled and how risk assessments are carried out. These policies should be regularly reviewed and updated to reflect evolving risks and regulatory changes, ensuring compliance across all branches, including those abroad.

A designated AML Officer must be appointed to oversee the bank’s compliance programme and ensure that all legal obligations are met. This officer is also responsible for implementing corrective actions when necessary. Ongoing employee training is essential to equip bank staff with the necessary skills to identify suspicious activity, understand the relevant legal frameworks, and know how to report potential cases of money laundering or terrorism financing.

Lastly, record keeping is a critical component of compliance. All records related to CDD and transaction monitoring must be retained for at least five years after the end of the business relationship or transaction, ensuring that they can be accessed for regulatory or law enforcement purposes if required.

The Deposit Guarantee Scheme in Bulgaria is established through the legal requirements set out in the Bank Deposit Guarantee Act (BDGA). The BDGA establishes the legislative foundation ensuring the stability and trustworthiness of Bulgaria’s deposit protection framework. It defines the legal parameters governing how the bank deposit guarantee system operates, aiming to safeguard depositors’ funds in the event of bank insolvency.

The scope of the BDGA extends to all banking institutions authorised under the CIA to accept deposits or other repayable funds from the public. It also covers the branches that these banks establish in other member states of the EU. In addition, the provisions of the BDGA may apply to branches of foreign banks headquartered outside the EU, provided that these entities have obtained a licence from the BNB to conduct banking activities in Bulgaria and meet specific legal requirements. The BDGA further outlines the structure, mission, responsibilities and operational procedures of the Bulgarian Deposit Insurance Fund (BDIF), which serves as the principal body responsible for administering and maintaining the country’s deposit guarantee scheme.

The BDFI’s primary purpose is to safeguard depositors by guaranteeing the protection and repayment of insured deposits. In addition, it plays a key role in supporting the effective restructuring of credit institutions. The BDFI also works to uphold the rights and interests of creditors throughout bank insolvency proceedings.

The deposit guarantee scheme covers natural persons and legal entity depositors. Deposits in euros and in foreign currency are guaranteed by the BDIF. Deposits up to a total amount of EUR100,000 are protected by the BDIF, regardless of the number of accounts of deposits maintained with the same bank.

The following categories of deposits are protected up to EUR125,000 for a period of three months from the date the funds are credited to the depositor’s account, or from the moment the depositor gains the legal right to access the funds:

• deposits of individuals arising from real estate transactions connected to the purchase or sale of a primary residence;
• deposits of individuals derived from payments related to marriage or divorce settlements, the termination of employment or public service, and cases of disability or death; and
• deposits originating from insurance or social security payouts, or from compensation awarded for criminal injuries or wrongful convictions.

The BDIF exempts coverage and protection of deposits made by banks, financial institutions, insurance companies, investment intermediaries, collective investment schemes, national investment funds, alternative investment and special investment companies, and budgetary organisations. Also, no coverage is provided to any deposits arising out of or relating to any transactions or actions constituting money laundering or terrorist financing.

In the event of a restructuring of two or more banks through merger by the formation of a new bank, or through merger by acquisition, the deposits placed at said banks before said restructuring shall be calculated for the purposes of guaranteed coverage, separately for each bank within the six-month period.

The BDIF’s financial resources are derived from several key sources:

• annual and extraordinary premium contributions collected from banks;
• income generated through the investment of the BDIF’s accumulated funds;
• the sums received by the BDIF from the property of the bank in the cases of subrogation; and
• additional funding obtained through loans, donations, grants, etc.

The BNB serves as the depository of the funds administered by the BDIF.

Overview

The Bulgarian legal framework dealing with the inherent risks associated with the operations of credit institutions comprises local legal acts and the Basel III regulations.

Bulgarian banks operate within the Basel III framework, made up of Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (CRR) and the CRD – the CRR is directly applicable in Bulgaria, and the CRD has been fully transposed in Bulgaria through the CIA without any major deviations in the transposition. The CIA and the legislative acts issued by the BNB, such as the numerous ordinances, instructions and orders of the BNB, form, on the other hand, the local regulatory framework for banks. Together, they make up the set of rules with which banks in Bulgaria must comply to ensure their prudential and risk-averse operation under the supervision of the BNB and the ECB.

Capital

Bulgarian banks need to comply with a multilayered, specific set of capital requirements. Those include requirements for capital adequacy and capital buffers, aimed at allowing banks access to funds to cover various risks and their obligations to their creditors. Bulgarian banks need to maintain, as a minimum, capital in the amount of EUR5 million. Up to this amount, the capital can be comprised only of monetary contributions and should be paid-up in cash.

The capital of Bulgarian banks is also subject to a specific structure, as follows:

• Common Equity Tier 1 (CET1) capital, including common shares, capital CET1-eligible instruments, reserves and retained earnings;
• Additional Tier 1 (AT1) capital, including certain AT1-eligible capital instruments and share premium accounts related thereto; and
• Tier 2 (T2) capital, including certain T2-eligible capital instruments and share premium accounts related thereto, and subordinated loans.

Not all capital instruments are eligible to be included in the capital structure of a bank, and the BNB exercises supervision (review and approval process) as to what is included in the capital of a Bulgarian bank. Banks should therefore be careful in the structuring of their capital instruments to ensure that each relevant instrument forms part of the capital of the bank, including for the purposes of meeting the various capital ratios mandated under national legislation. These ratios are calculated as a percentage of the total risk exposure as follows:

• a CET1 capital ratio of 4.5%;
• a T1 capital ratio of 6%; and
• a total capital ratio of 8%

An additional capital requirement can be imposed by the BNB if it establishes that it is necessary in the specific circumstances set out under the CIA, including as part of the supervisory review and evaluation process (SREP) of the BNB.

Banks in Bulgaria are also subject to various requirements for capital buffers. These include:

• a capital conservation buffer of CET1, aimed at allowing banks to increase their loss absorption capacity, set at a rate of 2.5% of the bank’s total risk exposure;
• a systemic risk buffer of CET1, aimed at allowing banks to absorb shocks from events that threaten the stability of the banking system, set at a rate of 3% of the bank’s total risk exposure;
• a counter-cyclical capital buffer of CET1, aimed at allowing banks to withstand cyclical systematic risks, set at a rate of 2%; and
• a capital buffer for systemically important institutions, aimed at containing contagion risks from stress events by allowing such institutions to absorb losses, set for six banks in Bulgaria (based on size, importance to the economy, cross-border activities and interconnectedness with the financial system) and varying between 0.5% and 1%.

A combined buffer requirement also applies, where the total CET1 necessary to meet the capital conservation buffer is extended by the other relevant applicable buffers.

Liquidity

Banks must maintain a comprehensive liquidity management system, which includes internal rules and procedures, a liquidity management body directly accountable to the competent managing body and an effective management information system. The internal liquidity management rules must specify principles for ongoing operations, liquidity recovery and contingency plans, and methodologies for identifying and controlling funding sources. Banks must also distinguish between pledged and unencumbered assets and ensure that eligible assets are available in emergencies.

In addition, banks must establish adequate liquidity buffers, diversify their funding sources, and regularly perform stress tests and scenario analyses to assess liquidity positions under adverse conditions.

Risk Management Rules

Banks in Bulgaria are required to maintain a comprehensive risk management framework ensuring that the risks that banks face are properly identified, measured, controlled and maintained.

As part of the comprehensive internal control framework that banks in Bulgaria must maintain, banks must form operational controls, a compliance function (including for the prevention of money laundering and terrorist financing) and an independent internal audit service. The internal audit service operates independently to assess the adequacy and effectiveness of governance, risk management and internal control systems. The compliance function must also be independent, adequately resourced and headed by a qualified official. It is tasked with identifying compliance risks, assessing changes in laws, advising the banks on measures to be taken and reporting.

The local framework also provides for specific rules that apply to the specific risks that banks in Bulgaria face. For example:

• with respect to credit and counterparty risks, banks must adopt sound credit approval processes, incorporate internal methodologies to allow banks to assess exposures, have appropriate documentation and diversify credit portfolios;
• with respect to interest and concentration risks, banks must maintain internal systems to manage risks from changes in interest rates and credit spreads, increases in credit concentration and exposures to collateral issuers exceeding 10% of their own funds; and
• with respect to operational risks, banks must maintain policies, processes, and business continuity and contingency plans to ensure resilience during disruptions.

Systemically important banks

Certain additional requirements apply to systemically important banks in Bulgaria. These include:

• in respect of their capital, a requirement for the maintenance of an additional capital buffer, as described in the foregoing;
• in respect of their nomination and risk committees, the majority of the committee members shall be independent;
• in respect of their supervisory board and the non-executive members of board of directors, the independent members must not be less than one-third; and
• in respect of their committees, a requirement to set up a risk committee and a committee for the selection of candidates for members of its management and controlling bodies.

Overview

The Bulgarian legal framework on the insolvency, recovery and resolution of banks encompasses several legal acts, including the CIA, the RRCIIFA and the IBA. Together, they work to guarantee that banks in financial distress can be resolved, stabilised or liquidated in a way that safeguards the financial system and depositors’ interests.

The national framework has transposed the BRRD without substantial deviation. It has also substantially implemented the Key Attributes of Effective Resolution Regimes for Financial Institutions of the Financial Stability Board (FSB) through the broad powers of the BNB as the resolution authority, the available resolution tools, the ensured protection of depositors, the co-operation of authorities through the Single Resolution Mechanism (SRM) and dedicated funding options – all of which contribute to systemic stability.

Early Actions

When a bank fails to meet regulatory requirements and thereby shows signs of deteriorating financial health (eg, not being able to meet capital and liquidity obligations), the BNB may apply early supervisory intervention measures aimed at restoring stability. As such, the BNB may require a bank to, among other things, take corrective measures to strengthen its capital or liquidity position and restrict certain actions of the bank.

These measures are complemented by the requirement for each bank to prepare an individual recovery plan, reviewed and approved by the BNB. Recovery plans are unique to each bank. They focus on defining a credible recovery and resolution strategy by identifying the critical functions and issues that may impact the resolution of the bank, as well as planning.

To implement the resolution strategy and ensure that the bank has appropriate loss-absorbing and recapitalisation capacity, the BNB sets a minimum requirement for own funds and eligible liabilities (MREL). The MREL is set for each bank individually, expressed as a percentage of the total risk exposure amount and the percentage of the leverage ratio exposure that the bank must comply with simultaneously. Eligible MREL instruments are certain subordinated financial instruments and liabilities, own funds (CET1, AT1, and T2 instruments) and bail-in-able senior liabilities.

Resolution Procedure

The BNB takes a decision to initiate the resolution of a bank when it is determined that the bank is deemed to be failing or likely to fail, that there are no private sector or early recovery measures that could address the situation, and that the resolution of the bank is necessary in the public interest. Upon making this determination, the BNB may apply one or more of the following resolution tools with the aim of enabling the continuity of the bank’s critical functions and safeguarding the public interest:

• the bail-in tool, which allows for a conversion or write-down of equity and debt instruments to absorb losses in a way that avoids the use of public funds for the recovery of the bank;
• the sale-of-business tool, which allows for the total or partial transfer of shares or selected assets, rights and liabilities to a purchaser;
• the bridge institution tool, which allows for a temporary transfer of shares or selected assets, rights and liabilities to a bridge bank to maintain critical services; and/or
• the asset separation tool, which allows for a transfer of impaired or non-performing assets to an asset management vehicle, aiming to maximise their value until their eventual sale or liquidation (this tool can be applied only with another resolution tool).

During the resolution procedure, shareholders and creditors bear losses in accordance with a hierarchy of claims (losses are borne by shareholders first, then creditors), while creditors belonging to the same class are treated equally and must not suffer losses exceeding those they would have borne had ordinary insolvency proceedings been applied to the bank. The BNB may also decide to suspend the performance of payment or delivery obligations under contracts to which the bank under restructuring is a party. This is done to ensure that the chosen resolution tool is effectively implemented.

Bank Insolvency

Where the BNB concludes that the requirements for resolution are not met and that the bank is no longer solvent (the amount of its own funds is negative), the BNB revokes the banking licence and files a petition before the competent district court to initiate insolvency proceedings under the IBA. The court then declares the bank insolvent, opens insolvency proceedings, appoints a temporary trustee until the BDIF designates permanent trustees, and terminates the activity of the bank’s enterprise and the powers of the management bodies of the bank.

The IBA provides for a strictly liquidation-oriented process, excluding the possibility of rehabilitation or restructuring. Upon commencement, all obligations of the bank become immediately due, proceedings against the bank are suspended, certain actions against the bank become null and void, and the bank’s management loses control as to the management of the assets of the bank. Trustees act under the supervision of the BDIF, which authorises major transactions, approves budgets and oversees asset disposals.

The bankruptcy estate includes all assets of the bank and proceeds from their sale. These are distributed to creditors following a statutory order of priority, beginning with claims secured by a mortgage or pledge, claims for which a lien is exercised, expenses related to the insolvency, claims of depositors who are natural persons for amounts exceeding their aforementioned guaranteed amounts, public claims, unsecured creditors and finally claims under subordinated and capital instruments.

The ESG requirements that banks in Bulgaria should comply with are enshrined in two sets of law. On one hand, these are the laws and regulations introducing ESG requirements to business entities in general. On the other hand, there are banking regulations and acts that introduce ESG requirements specifically applicable to banks.

ESG Requirements For Business Entities in General

Bulgaria has transposed into its national legislation Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC and Directive 2013/34/EU, as regards corporate sustainability reporting (CSRD) by amendments to the Bulgarian Accounting Act. The amendments introduced sustainability reporting obligations that will be gradually introduced, with banks being among the first wave of affected businesses.

On 19 February 2025, the Bulgarian parliament adopted amendments to the Accountancy Act, postponing the sustainability reporting requirements mandated under the CSRD by one year. Following these amendments, large public-interest entities with more than 500 employees are now required to prepare their first sustainability reports for 2025, instead of 2024. Other large enterprises will prepare their first reports for 2026 (instead of 2025), while small and medium enterprises will prepare their first reports for 2027 (instead of 2026). These amendments were promulgated in the Bulgarian State Gazette and came into force on 28 February 2025.

Subsequently, Directive (EU) 2025/794 of the European Parliament and of the Council of 14 April 2025, amending Directives (EU) 2022/2464 and (EU) 2024/1760 concerning the timelines for implementing corporate sustainability reporting and due diligence obligations (the “Stop the Clock Directive”) was adopted. This directive further deferred the reporting obligations. As of now, no legislative measures have been proposed by the Bulgarian authorities to enact the Stop the Clock Directive. Nevertheless, pursuant to Resolution No 541, dated 11 August 2025, the Bulgarian Council of Ministers approved its legislative programme for the latter half of 2025, which includes the implementation of the Stop the Clock Directive. The legislative process for this implementation is currently scheduled to commence in November 2025.

ESG Requirements Specifically Applicable to Banks

The latest amendments to the EU’s CRR3 and CRD6 establish robust ESG compliance obligations for financial institutions, effective 1 January 2025. Institutions are required to enhance their ESG risk management and disclosure practices as follows.

• Disclosure requirements (CRR3):
1. Expanded applicability – ESG risk disclosure obligations will encompass all financial institutions, irrespective of size or listing status.
2. Risk categorisation – Institutions must report on physical, transition, social and governance risks separately.
3. Fossil fuel exposure transparency – The total exposure to entities in the fossil fuel sector must be disclosed comprehensively.
4. Strategic ESG integration – Institutions are required to detail the incorporation of ESG risks into their business strategies, operational processes and governance structure.
5. Standardised reporting formats – The EBA will establish technical standards to ensure uniformity in ESG reporting.
6. Data collection standards – Institutions are encouraged to gather granular, high-quality ESG data on a “best-effort basis” to meet disclosure expectations.
• Management and risk frameworks (CRD6):
1. Integration of ESG risks – ESG risks must be embedded into institutions’ overall risk management frameworks.
2. Management oversight – Management bodies are responsible for formulating and supervising quantifiable strategies to address ESG risks over short-, medium-, and long-term horizons.
3. Regulatory alignment – ESG strategies must align with EU climate goals, be informed by scientific advice and correspond with transition plans under related regulatory frameworks.
4. Regulatory supervision – Competent authorities will evaluate and monitor institutions’ ESG strategies, risk management practices and transition plans for compliance.
• Additional reforms:
1. Stress testing – ESG factors will be integrated into capital adequacy stress-testing scenarios.
2. Prudential treatment – The EBA will determine the necessity of distinct prudential treatment for ESG risks.
3. Managerial suitability – A harmonised fit-and-proper framework will assess the qualifications of bank managers in light of ESG obligations.

This revised clause consolidates ESG requirements under CRR3 and CRD6, ensuring institutions adopt a comprehensive and standardised approach to ESG compliance and risk management. Separately, the BNB has adopted a decision to apply in Bulgaria, as of 11 January 2026, the guidelines on the management of environmental, social and governance (ESG) risks (EBA/GL/2025/01) adopted by the EBA.

The Digital Operational Resilience Act (DORA) came into effect on 17 January 2025 and is directly applicable in Bulgaria. It sets rules for minimising and addressing information and communication technology (ICT) risks in the financial sector. To that end, the regulation recognises the following key components as the main pillars of the operational resilience framework:

• ICT risk management;
• ICT-related incident reporting;
• digital operational resilience testing;
• ICT third-party risk management, and
• information sharing arrangements.

Explanations of the banking regulatory requirements related to each of the five pillars, as well as the steps and actions for compliance and the potential penalties for non-compliance in Bulgaria, are provided in the following.

ICT Risk Management

Financial institutions shall have a sound, comprehensive and well-documented ICT risk management framework integrated into their overall risk systems. They should include policies, procedures and tools for identifying, assessing and mitigating ICT risks. Once established, risk management frameworks should be reviewed and documented regularly (at least annually), and any significant changes should undergo risk assessments.

ICT-Related Incident Reporting

Financial entities shall record and report all ICT-related incidents and significant cyber threats. These incidents must be classified according to their priority severity and reported to the relevant national authorities using standardised templates created by the European Supervisory Authorities (ESA).

Operational Resilience Testing

DORA requires that financial institutions test their ICT systems’ resilience at least annually to assess their preparedness. The appropriate tests may be vulnerability assessments and scans, open-source analyses, network security assessments and scenario-based tests, among others. Critical financial entities are required to perform threat-led penetration testing every three years to identify weaknesses and ensure business continuity during cyber-attacks or system failures.

Third-Party Risk Management

Before concluding agreements with third-party ICT service providers, financial institutions must conduct mandatory due diligence to verify that these providers comply with necessary security and risk management standards. Contracts with third-party providers should include certain mandatory clauses (eg, termination in case of legal breaches). The ESA will designate certain third-party ICT providers as “critical”, requiring heightened regulatory oversight and additional risk management measures.

Cyber Threat Intelligence Sharing

DORA encourages financial entities to exchange cyber threat information and intelligence. Engaging in information-sharing initiatives helps organisations stay informed about emerging risks, raise awareness and enhance collective cybersecurity efforts. Such collaboration improves defences across the sector and allows entities to react more effectively to cyber-attacks.

Steps and Actions for Compliance

To comply with DORA’s requirements, financial entities should consider the following actions.

• Conduct a gap analysis: The initial step is performing a gap analysis to assess the institution’s current practices and identify any gaps in compliance with DORA, as well as potential areas for improvement.
• Strengthen governance structures: Financial institutions should strengthen their internal governance frameworks. This includes appointing sufficient personnel or teams dedicated to overseeing ICT risk management with clearly assigned roles and responsibilities.
• Address third-party risks: Agreements with third parties should be reviewed and updated to include mandatory security and compliance clauses. Third-party service providers should also undergo regular audits, with a special focus on “critical” providers that require enhanced oversight.
• Develop incident reporting protocols: Financial institutions should implement clear and effective protocols for reporting ICT incidents aligned with DORA’s reporting requirements. Systems must be in place to detect, classify, and report incidents promptly, ensuring timely notification to competent authorities.
• Promote cyber threat intelligence sharing: Financial institutions should participate in cyber threat intelligence-sharing networks with industry peers and national regulators on emerging or potential threats. Regular involvement in such networks helps organisations stay aware of emerging threats and improves collective cybersecurity efforts.
• Organise ongoing employee and management education: Financial institutions should regularly train employees and management on DORA’s requirements and cybersecurity best practices. This education and informing process should be ongoing to ensure security awareness and compliance.

Sanctions for Non-Compliance

Failure to comply with DORA’s operational resilience requirements may result in penalties for both financial institutions and their representatives.

Sanctions for financial institutions

Entities that fail to comply with DORA’s requirements can face sanctions ranging from approximately EUR10,000 to 20,000. Second-case violations may result in increased fines of approximately EUR20,000 to 50,000.

Sanctions for individuals

Representatives of financial institutions, such as executives or board members, can be fined in their personal capacity for non-compliance, or for allowing violations. Fines for individuals range from approximately EUR5,000 to 10,000 for first-time violations and from approximately EUR10,000 to 20,000 for second-case violations.

The regulatory landscape of the Bulgarian banking sector is undergoing swift transformation, driven by both domestic developments and broader European integration.

Eurozone Accession

Arguably the most transformative event for Bulgaria’s economy – and particularly for its banking industry – is the country’s forthcoming entry into the euro area and the adoption of the euro as its official currency. To meet the expected challenges and ensure a smooth transition, Bulgaria implemented a series of substantial legal reforms. The newly adopted Introduction of the Euro in Bulgaria Act plays a crucial role, setting out detailed provisions on dual pricing, phased withdrawal of the Bulgarian lev from circulation and other practical aspects concerning interaction between businesses and the population. Significant amendments were made to the BNBA to align the central bank’s responsibilities with those of the European System of Central Banks (ESCB). In addition, key financial law, including the CIA, the Markets in Financial Instruments Act, the Currency Act and the Payment Services and Payment Systems Act, were amended to guarantee legal coherence and operational preparedness for the currency switch.

Although the accession of Bulgaria to the euro area has been expected for some time, and banks have had plenty of time to prepare, the transition to the euro will most likely not be without some “hiccups”, necessitating further regulatory fine-tuning. Apart from this major event, which is specific to Bulgaria, most of the developments expected to have an impact the banking sector will arise from the evolving EU regulatory framework.

Directive (EU) 2024/1619

Directive (EU) 2024/1619 of the European Parliament and of the Council of 31 May 2024 amending Directive 2013/36/EU as regards supervisory powers, sanctions, third-country branches, and environmental, social and governance risks (CRD VI) is the sixth major amendment to the EU’s banking-prudential directive framework in the Capital Requirements Directive (2013/36/EU). The amendment’s aim is to strengthen the regulatory framework for banks in the EU by enhancing supervisory powers, sanctions, governance independence and the management of ESG risks. The CRD VI also introduces a harmonised regime for branches of third-country banks operating in the EU and seeks to deepen the internal banking market, while also aiming to reduce reporting burdens for smaller institutions. Bulgaria and the other EU member states shall transpose the CRD VI into national legislation by 10 January 2026. Bulgaria has yet to implement the measures under the CRD VI into national legislation.

Directive (EU) 2023/2225

Directive (EU) 2023/2225 of the European Parliament and of the Council of 18 October 2023 on credit agreements for consumers and repealing Directive 2008/48/EC (CCD II) modernises and broadens EU rules for consumer credit agreements by responding to digital market developments and filling gaps in the previous regime. The CCD II expands the scope of covered products (including very small loans, certain “buy now, pay later” schemes and loans delivered via digital platforms) and strengthens obligations regarding pre-contractual information, advertising, creditworthiness assessments and conduct of business. Bulgaria and the other EU member states shall transpose the CCD II by 20 November 2025. To date, Bulgaria has not transposed the provisions of CCD II into the national Consumer Credit Act.

Directive (EU) 2023/2864

Directive (EU) 2023/2864 of the European Parliament and of the Council of 13 December 2023 amending certain Directives as regards the establishment and functioning of the European single access point (the “ESAP Directive”) amends a number of existing EU financial services and corporate governance EU Directives to give effect to the forthcoming European single access point (ESAP), which will provide centralised access to publicly available information in financial services, capital markets and sustainability. The ESAP Directive lists 16 specific Directives (eg, Directive 2004/109/EC on transparency, Directive 2013/34/EU on annual financial statements, Directive 2014/65/EU on markets in financial instruments) to be amended so that the disclosures required under those regimes become accessible via ESAP. The amendments do not impose new disclosure obligations on companies but rather streamline the collection and submission of already-public information to ESAP. Bulgaria and the other EU member states shall transpose the ESAP Directive by 10 July 2025. However, Bulgaria missed the deadline and is still to adopt the relevant national legislation in this respect.

Amendments to the Payment Services Regulations

In June 2023, the European Commission published proposals for a new Directive on payment services and electronic money services (PSD3), and a new regulation on payment services (PSR), which will serve as a new regulatory framework for payment services in the EU. Although trilogues among the European Parliament, the Council of the European Union and the European Commission are still underway, it is expected that the legislation will be finalised in 2026 and apply shortly thereafter.

PSD3 aims to address gaps in PSD2, especially around fraud prevention, consumer protection and regulatory clarity. The key changes that will be introduced include:

• stronger consumer protection and fraud prevention mechanisms;
• unified rules for payment service providers and e-money institutions;
• higher capital requirements and stricter safeguarding of client funds;
• enhanced transaction security and clearer liability rules; and
• improved access to payment systems for non-bank providers.

PSR will be directly applicable in Bulgaria, whereas PSD3 will most likely be transposed by amendments to the Bulgarian Payment Services and Payment Systems Act and will have an impact on Bulgarian banks and other payment services providers.