Contributed By Penkov, Markov & Partners
Principal Laws
The regulatory framework of the banking sector in Bulgaria is based on national laws and regulations that are aligned with European legislation. The main regulatory authority is the Bulgarian National Bank (BNB), which along with the European authorities ensures the stability and safety of the entire banking sector.
The main laws and regulations in the area are as follows.
Regulatory Authorities
The BNB is the main regulatory authority in the banking sector. It is responsible for licensing banks, supervising their activities and enforcing regulatory requirements. The BNB carries out macro-prudential and micro-prudential supervision.
The Financial Supervision Commission (FSC) also has a role in the area. Although it does not directly regulate banks, the FSC supervises insurance companies and capital markets, all related to the financial sector as a whole.
As part of the EU, Bulgaria complies with the regulatory framework of the European Banking Authority (EBA), which sets common standards and guidelines for banks in the EU.
In the context of the European Banking Union, Bulgaria participates in the Close Co-operation Mechanism with the European Central Bank (ECB), which includes direct supervision of certain systemically important banks in Bulgaria.
Application and Required Documents
The bank authorisation procedure must be initiated by the founders of the bank through the Governor or the Deputy Governor of the BNB heading the Banking Supervision Department by submitting an application to the governing board of the BNB. Among many other things, the application should include:
Timeline
The BNB shall decide whether a banking licence will be granted within three months of the submission of the application and all of the required documents, but in any case, not longer than 12 months from receipt of the application.
During the three-month review period, the BNB shall perform in-depth analysis of the filing and, among others, shall verify whether numerous circumstances are met. If no evidence is provided that these additional requirements are met, the BNB shall refuse to grant a licence. The refusal shall be motivated and is not subject to an appeal. In this negative case of refusal, the applicant has the right to file a new application not earlier than 12 months after the initial refusal.
Costs
The BNB shall charge a fee of BGN100,000 (approximately EUR50,000) for the administrative costs related to the processing of applications and documents for the issuance of a licence.
Banking Services and Activities
A bank may not carry out any activities other than those covered by its licence and specified by the CIA.
Banking services and activities in Bulgaria fall into two categories – exclusive banking activities and non-exclusive banking activities.
The exclusive banking activities may be carried out solely by legal entities holding a bank licence, non-EU banks licensed to operate in the Republic of Bulgaria and EU-banks, which provide services directly or through a branch within the territory of the Republic of Bulgaria. The exclusive banking activities include taking deposits or other repayable funds from the public, accepting valuables on deposit and acting as depositary or trustee institution.
The non-exclusive banking activities may be carried out by a bank, if they are included in its licence, as well as by other legal entities – eg, financial institutions, payment service providers under the PSPSA, investment intermediaries under the Financial Instruments Market Act, electronic money companies under the PSPSA, etc, and include provision of payment services, issue and administration of other means of payment (travellers’ cheques and letters of credit), financial leasing, guarantee transactions, trading for own account or for account of customers in foreign exchange and precious metals, money broking, acquisition of accounts receivable on loans and other types of financing, issuing of electronic money and any other activities, specified by the CIA or an ordinance of the BNB.
Obtaining a European Passport
If a bank is licensed in an EU-state, it may carry on directly or through a branch within the territory of the Republic of Bulgaria the activities, which are included in its domestic licence, after BNB has been notified by the competent authority which has granted the licence.
If a bank is licensed in the Republic of Bulgaria, it may carry on bank activities within the territory of another EU state after it has notified BNB, in written form, of its intention to establish a branch within the territory of another EU state.
In the event of a change of control over a bank, consisting of the acquisition of shares or voting rights related to shares by an individual or legal entity as well as persons acting in concert, whereby as a result of the acquisition their shareholding becomes qualifying (10% or more of the shares) or if this shareholding would reach or exceed the thresholds of 20%, 33% or 50% of the shares or the voting rights related to the shares, or if the bank would become a subsidiary, a prior written approval of the BNB is mandatory as a condition precedent for completion of the acquisition.
If such an acquisition occurs as a result of objective circumstances beyond the person’s control, the acquirers shall nevertheless obtain an approval from the BNB. Otherwise, the voting rights attached to the shares so acquired shall be suspended and such shares shall not be counted against the quorum of the general meeting of the shareholders of the bank. In case the acquirer is a credit institution, an insurance undertaking, a reinsurance undertaking, an investment firm or a managing company authorised in another member state, a parent undertaking of such or a person exercising control over such, the BNB shall hold preliminary consultations and co-operate with the competent supervising authority of the home member state.
The application shall specify whether the planned acquisition is a primary acquisition or an increase of the holding in the share capital, direct or indirect, if the applicant is acquiring on their own or with other persons acting in concert, as well as information about the bank shares owned by the applicant, the number of the shares planned to be acquired and the size of the bank capital.
The most important criteria taken into account by the BNB in its assessment of the application for approval are:
It should be noted that the BNB also considers the potential impact of the applicant on the credit institution or the banking sector, thus it might refuse issuance of the written approval in case of subjective criteria that the acquiring person would somehow have an adverse effect in the sector.
When it comes to corporate governance of banks, the landscape is highly regulated.
General Legal Regimes
The following legal regimes are in place:
Diversity Requirements
The bank should adopt and implement a policy of selection and assessment of the suitability of members of the management board (board of directors) and supervisory board, taking into account the bank’s size and internal organisation, as well as the nature, scale and complexity of its activities. Among others, the policy should include principles and rules for promoting diversity in the management board (board of directors) and supervisory board which shall as a minimum contain: (i) criteria of diversity; (ii) the target level of under-represented gender participation in the management board (board of directors) and supervisory board and the timeframe for its achievement. In order to maintain diversity in the management board (board of directors) and the supervisory board, the policy should ensure non-discrimination based on sex, race, colour, ethnic or social origin, genetic features, religion or belief, membership of a national minority, property, birth, disability, age or sexual orientation.
Bank Secrecy – Rules of Conduct for Employees
All bank employees, members of the management and supervisory bodies of a bank and any other persons working for a bank shall sign a declaration, in accordance with which they undertake to observe the bank’s secrecy. They have no right to disclose or use for their benefit or for the benefit of any member of their families, any information, concerning the balances and operation on the accounts and deposits of the bank’s customers. This obligation applies not only for the period of time during which they hold the relevant position, but also after their relationship with the bank is terminated.
Director or Senior Manager Designation and the Regulatory Approval of Their Appointment
Members of the management board of a bank may only be natural persons who, among others:
When internally assessing the suitability of nominees for members of the management body of a bank, the latter should also take into account whether the persons are of sufficiently good repute, are able to act with honesty, integrity and independence of mind, as well as whether they are able to commit sufficient time to perform their functions. Banks shall also assess the collective suitability of the management and supervisory bodies as a whole unit.
A person may be appointed as a member of the management board only after prior approval by the BNB, which must be issued within 60 days after all of the required documents have been submitted with the authority. The BNB may refuse to issue an approval if the person does not meet the requirements, if the required documents have not been submitted or the submitted documents contain incomplete, contradictory or false information, as well as if the person does not have a good reputation. The fitness and propriety assessment carried out by the regulatory authority is very detailed and comprehensive.
Screening Requirements
In case of re-election of а member of the of the management board for another term, a new approval by the BNB is not necessary, unless there is a change in the held position, which requires a new suitability assessment. The commercial bank should in any case keep track of whether the relevant members of the management board meet the requirements for occupying the relevant position.
Individuals Subject to Remuneration Requirements
Each bank shall adopt a remuneration policy to be applied to the following individuals:
Remuneration Principles
The applied remuneration policy shall (i) promote effective risk management and discourage excessive risk-taking, (ii) be in line with the business strategy, objectives, values and long-term interest of the bank, (iii) incorporate measures to avoid conflict of interest, and (iv) be gender neutral.
Furthermore, the remuneration policy should include different criteria, determining the fixed and variable remuneration of individuals. The fixed remuneration shall depend on the relevant professional experience and organisational responsibilities of the individual and the variable remuneration – on the sustainable, effective and risk-adjusted performance, as well as performance beyond the job description.
General Regulatory Framework
Key legislative acts
The Bulgarian Measures Against Money Laundering Act (the “AML Act”) transposes the provisions of the 4th and 5th AML Directives into the national law.
Bulgaria’s Know Your Customer (KYC) statutory requirements are in line with the requirements of the said EU acts. To support reporting entities in fulfilling their Customer Due Diligence (CDD) duties, the AML Act requires that all entities declare their Ultimate Beneficial Owners (UBOs). Such information must be submitted to either the Commercial Register and the Register for Non-Profit Organisations (for companies and certain registered non-profits) or the BULSTAT Register for other entities.
In several sectors, including banking, digital customer onboarding is permitted as long as the identification and verification of customers comply with the AML Act.
Furthermore, the Combating Terrorism Financing Measures Act (the “CFT Act”) prohibits Bulgarian banks from directly or indirectly providing funds, financial assets, economic resources, or financial services to persons, entities, or groups involved in terrorist activities. This is in accordance with lists established by the United Nations Security Council and the Bulgarian Council of Ministers. Bulgarian banks must also implement measures laid down in European Union regulations related to sanctions imposed on specific individuals for terrorism or its financing.
Regulatory authorities
The State Agency for National Security (SANS) serves as the primary body responsible for the AML/CTF oversight in Bulgaria. SANS is tasked with collecting, preserving, examining, analysing, and sharing financial intelligence data, as envisaged under the AML and CFT Acts.
The BNB also supervises AML/CTF compliance for all banks operating in Bulgaria, including branches of foreign banks and those from other EU member states.
While the European Central Bank (ECB) currently holds no direct powers over AML-related issues concerning Bulgarian banks, the BNB is in the process of preparing to collaborate with the upcoming European Anti-Money Laundering Authority (AMLA), a new pan-European supervisory body.
Specific Requirements Under the AML/CFT Legislation
Customer due diligence (CDD)
Under the AML Act all banks are required to perform standard CDD before entering into a business relationship or carrying out specific occasional operations or transactions. CDD measures can also be enhanced or simplified depending on the risk level.
Simplified CDD can be applied only if certain pre-conditions are met, among which the customer’s risk assessment must indicate a negligible or low risk of money laundering.
Enhanced CDD (ECDD) is mandatory when the risk of money laundering is high, such as in the following cases:
The list is not exhaustive; banks must apply ECDD whenever the risk assessment indicates a heightened risk of money laundering.
When conducting CDD on companies or legal entities, the AML Act requires identifying the UBO, who must be a specific individual as defined by the EU AML Directives. Identification is done through public company registers, certificates of good standing and other documents proving ownership and control structures. If these documents are insufficient, a declaration from the legal representative or proxy may be required.
Notification of discrepancies to the Registry Agency (RA)
Starting in July 2024, obliged entities, including banks, must notify the RA if they identify discrepancies between the collected data and the publicly reported information on UBOs during CDD. All relevant documentation must be enclosed. Upon receiving such notification, the RA officers will request the entity in question to resolve the discrepancies within a strict timeframe.
Reporting suspicious transactions
SANS has introduced specialised software called “goAML” for analysing financial intelligence. Obliged entities, such as banks, can use this system to electronically submit reports on suspicious activity, knowledge of money laundering, funds of criminal origin, and terrorism financing. Filings on paper with SANS are still possible.
Risk assessment
Banks are required to adopt Individual Risk Assessments in order to identify, understand, and assess risks related to money laundering and terrorist financing. These assessments must adhere to the National Risk Assessment and align with guidelines from the ECB, which the BNB follows.
Record-keeping
Banks are required to retain all CDD-related information for five years after the conclusion of the business relationship or occasional transaction.
Internal rules for AML and CTF control
All procedures, including those related to CDD, reporting and risk assessment, must be documented in the bank’s internal rules. These rules must be regularly updated and include procedures for sharing information within the bank’s group (if applicable) and ensuring AML/CTF compliance across the bank’s branches and subsidiaries.
AML training for staff
Banks must provide initial and ongoing training to their employees on the requirements of the AML Act, the CFT Act, and related Internal Rules). The training programmes must equip employees with the knowledge to identify suspicious transactions, customers and operations, and to take appropriate action when money laundering or terrorist financing is suspected.
The Bank Deposit Guarantee Act (BDGA) provides for a legal framework on the reliable functioning of the bank deposit guarantee system and the protection of depositors, as well as the organisation, objectives, functions and operation of the Bulgarian Deposit Insurance Fund (BDIF). The BDGA applies to all banks which have been licensed according to the procedure established in CIA to receive deposits or other repayable funds from the public, as well as to the branches set up in other EU states by any such banks. The BDGA furthermore applies, if certain conditions are met, to the branches of any bank having its head office in a third country, which has been licensed by the BNB to pursue business activity in the Republic of Bulgaria. Should these criteria be satisfied, the deposits are guaranteed by the BDIF.
The Deposit Guarantee Scheme in Bulgaria is administered by the BDIF. The objective of the BDIF is to contribute to the stability and credibility of the financial system in the country, and to this end it shall ensure protection of deposits and repayment of covered deposits, assist the effective resolution process for credit institutions and ensure optimum protection of the interests of creditors in the bank bankruptcy proceedings. The main function of the BDIF is the repayment of the covered deposits up to the guaranteed amount.
The BDIF guarantees the deposits of natural persons and legal entities – Bulgarian and foreign nationals. Guaranteed are all funds in a bank account of any type: a current account, a debit card account, a deposit, savings or accumulation accounts, an account in favour of a third party, or a joint account. Deposit guarantee is applicable to credit balances obtained as a result of funds deposited in an account, or from temporary situations resulting from regular banking transactions, which the bank is obliged to pay to its customers in accordance with applicable legal or contractual provisions. Financial instruments of an investment type are not considered a bank deposit and are not guaranteed by the BDIF, except nominal deposit certificates issued before 2 July 2014.
There are also other deposits listed in BDGA that do not qualify for a guarantee due to the specific quality of the depositor (ie, banks, when the deposits are opened on their own behalf and for their own account; financial institutions; insurers and reinsurers; retirement insurance companies and supplementary retirement insurance funds and payment funds managed thereby; investment intermediaries; collective investment schemes, national investment funds, alternative investment funds and special-purpose investment companies; budgetary organisations).
The BDIF guarantees the payment of the aggregate sums held by any single person on deposits at a bank, irrespective of the number of deposits and the number of financial means thereon, up to a level of EUR100 000. This sum includes the principal and interest accrued and shall be paid after the depositor submits before the BDIF a resolution of the BNB or a judicial authority act.
An additional protection of up to EUR125,000 for a timeframe of up to three months is provided for certain types of deposits, resulting from: real estate deals for residential purposes; payments related to conclusion or dissolution of marriage, termination of a labour contract or civil service contract, disability or death; insurance or social insurance payments or from payment of compensation for damages from crimes or reversed sentence.
The covered deposits are repaid regardless of whether the deposit holder also has liabilities (credit) to the same bank. The BDIF ensures that depositors have access to their covered deposits not later than seven business days as of the date of the resolution of the BNB or a judicial authority act.
The financial sources funding the BDIF are exhaustively listed in the local laws and they consist of the (i) annual and extraordinary premium contributions levied from banks, (ii) income from investing the financial means raised by the BDIF, (iii) the sums received by the BDIF from the property of the bank in the cases of subrogation and (iv) other sources (loans, donations, foreign aid, etc).
The main contributions to the BDIF come from the annual premium contributions by the banks. The BDIF determines the annual premium contribution for each bank on or before May 1st of the current year. Extraordinary contributions shall be levied should the available financial means of the BDIF be insufficient to cover the liabilities. The BDIF may also issue debt securities and receive allocations from the state budget to make up for the residual deficit of financial resources.
Adherence to Basel III Standards
The credit institutions in Bulgaria are subject to the requirements set in Basel III (CRR and CRD IV) and all stipulations of CRD IV have been transposed into local law mainly through the provisions of CIA.
Risk Management Rules
The management body of any bank shall adopt and periodically update, in line with the best internationally recognised practices for corporate management of banks, policies, rules and procedures for the bank’s organisation, internal control framework, including independent risk management, compliance and internal audit departments. The adopted strategy shall be subject to regular review and approval by the supervisory board of the bank.
The strategy shall include the establishment and maintenance of a risk management structure which is independent from the operational units and has sufficient authority, statute, resources and adequate access to the supervisory board. The head of the bank’s risk management structure should be an independent senior manager or a senior officer within the bank, provided however that there is no conflict of interest. Additionally, each significant bank shall also establish a risk committee, composed of at least three members of the supervisory board or non-executive members of the management board. The function of the risk committee is to advise the supervisory board of the management body on the bank’s risk strategy and assist in monitoring its implementation.
Each bank should have internal risk management methodologies enabling it to assess the credit and counterparty risk, the identification, measurements and management of risks arising from potential changes in interest rates and credit spreads, as well as the evaluation and management of market risks, operational risk and the risk of excessive leverage.
Quantity and Quality of Capital Requirements and Capital Buffers
The minimal required paid-up capital at the time of incorporation of the bank is BGN10 million (approximately EUR5 million) and it cannot fall below this amount at any time. The contributions of the shareholders up to BGN10 million may be solely monetary, but any subsequent capital increase may also be in kind, if a prior written approval of the BNB is issued. Any shareholders who have subscribed for 3% and more than 3% of the voting shares and the 20 biggest shareholders shall effect the payments against their shares with their own funds, provide evidence of the origin of those funds and declaration of the taxes paid thereon in the preceding five years.
As to the capital buffers, the BNB has the right to determine the types of buffers, the terms and conditions for their formation and updating, taking into account the standards set out in CRD IV. In 2024, the counter-cyclical capital buffer rate applicable to credit risk exposures in Bulgaria is 2%.
Liquidity Requirements
The banks should manage their liquidity in a manner that ensures they are able to meet their daily obligations regularly and without delay, both in a normal banking environment and in a crisis. They shall maintain adequate liquid management systems for identification, measurement, management and monitoring of the liquidity risk, which aim to hold liquid assets to cover mismatches between cash in and outflows. The development and the implementation of the system are the responsibility of the internal liquidity management body of each bank.
The liquidity requirements are supervised by the BNB and in case BNB determines that a bank has a significant liquidity issue which requires immediate action, the sub-governor in charge of the Banking Supervision Department, may require the bank to submit weekly or daily liquidity reports, to reflect its survival plans and its strategy to reach the liquidity thresholds.
In case a bank violates the liquidity requirements, BNB has various powers to impose enforcement measures for ensuring the stability of the bank, such as issuing a written warning, convening a general meeting of shareholders or schedule a meeting of the management board and the supervisory board, issuing a written order to cease and desist from the violation as committed, issuing a written order to take measures for improving the financial condition of the bank, and other measures provided in the Credit Institutions Act and the Recovery and Resolution of Credit Institutions and Investment Firms Act.
If a bank authorised in the Republic of Bulgaria carries on its activity through a branch in another member state or if a bank from another member state carries on its activity through a branch in the Republic of Bulgaria, the bank liquidity is supervised by the BNB in co-operation with the competent supervision authorities of the home member state.
Additional Requirements Applicable to Significant Banks
For significant banks, there is an additional requirement that at least one-third of the members of the supervisory board or the non-executive members of the management board of the bank should be independent.
The Bulgarian bank insolvency, recovery and resolution regulations include multiple legislative acts apart from the general insolvency rules and procedures envisaged in the local Commercial Act, and more specifically, the Bank Insolvency Act, the CIA, the BDGA and the Recovery and the Resolution of Credit Institutions and Investment Intermediaries Act.
Given the eventual consequences from a potential bank insolvency in public interest perspective, all the insolvency procedures are envisaged in the special Bank Insolvency Act, which (together with the other applicable legislative acts) is in full compliance with the EU legal framework in this field.
Substantially differentiating from the general insolvency procedure, bank insolvency may be initiated before the court only by the BNB, given that the latter has revoked the licence of the respective bank or considers that the deposits in the bank are unavailable or in danger of such an event. Given the particularities of the procedure and the deposit guarantees provided, the BDIF also plays a key role in the proceedings from the outset.
Notwithstanding the circumstance that the court is the authority that guides the proceedings until their finalisation, in practice it has a rather ancillary role related to ensuring the legality of the procedure. To that effect, BNB and the BDIF have the leading role in all bank-related insolvency, recovery and resolution procedures in Bulgaria.
After initiation of the procedure by BNB, at least two insolvency administrators, notwithstanding whether they are temporary or permanent, are chosen by the BDIF, and once the proceedings are opened the court does not have the right to amend the insolvency administrators appointed by BDIF.
The insolvency administrator must be included in a list of bank insolvency administrators maintained by BNB and, in practice, must be an independent administrator who does not participate in any other insolvency procedure. The term of appointment and the remuneration of the administrator are determined by the managing board of BDIF.
During the insolvency procedure, the insolvency administrators are obliged to identify all the creditors, assets, liabilities, the related collaterals of all types – ie, to determine the insolvency mass and to report the information to BDIF.
At the latest of two months after the initiation of the procedure, the administrators must draft an asset realisation programme – subject to approval from the BDIF and providing for a starting date for the commencement of the asset liquidation procedures and a deadline by which all assets and property rights in the insolvency mass will be liquidated. The insolvency administrators may not deviate from the programme once it has been approved by BDIF, unless with the prior written consent of the managing director of the BDIF.
The liquidation of the assets of the bank (respectively – the distribution of the acquired amounts thereof) is executed mainly by special tender procedures (ie, by means of public sale, by public auction or by secret auction), conducted by the administrators, but subject to prior approval from the BDIF. These procedures may be appealed before the insolvency court by a creditor of the bank or by a third party with independent rights over the properties or rights affected by the liquidation of the assets.
In addition, it is possible to sell a bank in insolvency as a going concern – but only to another bank or banks licensed to do banking business in the country. The buyer is liable only for the obligations it has assumed under the court-approved terms of the transaction. The remaining claims and unvested rights shall be extinguished.
During the bank insolvency proceedings, the insolvency court is engaged with settling disputes relating to the inclusion of a creditor in the list of accepted claims in the insolvency proceedings to allow the latter to benefit from the liquidation of the bank assets; adjudicating on appeals from persons participating in tenders or adjudicating on appeals against liquidation actions. However, the court in the bank insolvency proceedings generally acts as a supervisory body and is not the main participant leading the insolvency proceedings.
The bank insolvency regulations explicitly prohibit the participants in the procedure to propose or execute a recovery plan with respect to the particular bank. However, the Recovery and the Resolution of Credit Institutions and Investment Intermediaries Act provides for multiple coercive administrative measures, which, however, are more of a preventive nature, including conclusion of an intra-group financial support agreement, appointment of an extraordinary governor, etc.
The insolvency proceeding is considered finished once all of the liabilities of the bank have been settled or the insolvency mass has been depleted.
Bulgaria has implemented some of the FSB Key Attributes of Effective Resolution Regimes. Following the failure of one of the country’s largest banks in 2014, Bulgaria undertook many amendments to its legislative framework, both implementing principles from those of the FSB and improving its legal framework and synchronisation with EU law, with a view to applying for the Eurozone. This process is now finalised, with the adoption of the whole package of legislative measures in this respect and the country’s accession to the Eurozone expected in 2025–2026. The country is striving to improve its legal system in this regard.
A depositor – natural person or micro, small or medium enterprise which has a deposit exceeding the guaranteed amount (see Deposit Guarantee Scheme (DGS)), is part of the privileged creditors in the insolvency, whereas this creditor is entitled to participate in the fifth order of satisfaction – after the claims secured by pledge and mortgage; claims for which a lien is exercised; claims of the competent authorities arising out of bankruptcy costs incurred and claims for which the BDIF has subrogated. The depositors, whose deposits are not guaranteed by the BDIF, are entitled to claim their receivables in the sixth (out of 18) satisfaction order.
No other preference rules, applicable to deposits, are envisaged in the Bulgarian legislation.
Highlights
In general, the transposing of the Corporate Sustainability Reporting Directive (CSRD) in Bulgaria could be distinguished by the following highlights:
Local Legal Framework of the ESG
The transposition of the CSRD in Bulgaria is effected by way of amendments in the Bulgarian Accountancy Act (AA) and the Act on Independent Financial Audit effective as of July 2024. Some minor changes to the Public Offering of Securities Act were also introduced.
The new legal framework aims to achieve two key objectives:
In this context, the AA broadens the scope of non-financial information previously reported and increases the number of reporting entities (obliged companies), with most Bulgarian banks being among the first to comply.
The obliged entities should include in their annual activity report a separate section with information on sustainability issues (the so-called “sustainability report”).
Sustainability Report
This document, which is part of the activity report of a company shall include inter alia the following:
Following the preparation of the activity report, including the sustainability report, it will be subject to a statutory audit by a certified auditor in line with the provisions of the Independent Financial Audit Act.
Explicit responsibility of the head and members of the management and supervisory body of a company is envisaged for the preparation and publication of the annual reports (including the sustainability report), as well as for conducting an independent financial audit and expressing assurance on sustainability.
Regulation (EU) 2022/2554 on the digital operational resilience for the financial sector (DORA), which entered into force on 16 January 2023, shall become directly applicable in all EU member states, including Bulgaria, as of 17 January 2025.
As DORA is an EU regulation, its provisions do not require transposition into national law. Nevertheless, certain legislative measures related to its implementation in the Bulgarian jurisdiction have been envisaged in а draft bill amending the Bulgarian CIA. These amendments form part of a broader legislative package proposal, relevant to the banking and financial sectors, following the Markets in Crypto-Assets Regulation, or part thereof, becoming applicable in the EU earlier in 2024.
Most notably, the draft bill proposes changes with respect to the designation of a supervisory authority for the banking sector, which shall monitor compliance under DORA, the scope of its regulatory powers and the sanctions it may impose for non-compliance. Naturally, the BNB will be the regulator responsible for ensuring that both banks and their ICT service providers comply with DORA, being vested with the necessary powers to conduct supervisory activities, including investigations and sanctioning of in-scope organisations.
In addition to the powers envisaged for the BNB by DORA, the draft bill suggests that BNB has the authority to request and review banks’ strategies, internal rules, procedures and mechanisms on implementation as regards information and network security, which must be adopted and ensured by the banks’ governing bodies in accordance with the requirements of DORA. Moreover, the BNB will be empowered to carry out, within its jurisdiction, supervisory reviews of each bank’s risks established through its own internal risk assessment and operational resilience testing. On the basis of these risk reviews, the BNB may assess whether the respective banks’ risk management frameworks, including strategies, procedures, mechanisms, and allocated resources, adequately ensure sound risk management and resilience.
It is worth noting that no specific organisational (documentation) or technical (logical) requirements are set forth in the local draft bill with respect to governance of information and network security. Therefore, DORA’s general documentation, reporting, etc, obligations will have to be fully taken into consideration when implementing compliance measures, without accounting for additional local stipulations.
In the event where BNB, in the course of its regulatory activities, identifies infringements of DORA, a broad range of remedial measures, respectively administrative penalties, are foreseen to be imposed onto banks, depending on the severity of the breach. These measures range from written warnings (in the case of minor infringements), to formal requests that the investigated bank undertakes corrective actions, such as to align its activity (including internal risk management framework) with DORA’s requirements, and, in the most severe instances, even the revocation of the bank’s licence. Additionally, administrative penalties for both non-complying banks and individuals, who have committed or permitted the commission of breaches under DORA (eg, members of management bodies of banks) are envisaged, which shall range from approximately EUR25,000 to EUR100,000 for non-complying banks, respectively from EUR1,500 to EUR6,000 for individuals.
It is anticipated that the proposed draft bill will be enacted later in 2024.
The Euro Act
Bulgaria officially adopted an Act on the introduction of the euro in Bulgaria (“the Euro Act”) in 2024, detailing the transition of the official currency from the lev to the euro. Key points include currency conversion rules, exchange mechanisms, and automatic conversions of bank accounts and legal instruments regarding the exchange in particular regions. There will be a one-month “dual circulation period” from the date of euro adoption, in which the lev will continue to be legally admissible. A key point in the Euro Act is that the traders must display prices in both currencies for a period of 12 months. Provisions are in place for converting company capital, handling interest rates on loans, and updating accounting systems. Non-compliance with these regulations will result in penalties. Naturally, all the above changes affect the banks considering their economic role and specific activities.
Directive (EU) 2023/2225 (the “New Consumer Credit Directive”)
The New Consumer Credit Directive addresses issues related to consumer protection, especially in light of new market developments such as digitalisation and the emergence of new credit products. Also, it seeks to create a more harmonised regulatory framework across the EU, ensuring transparency (providing information before the conclusion of the credit agreement), improved creditworthiness assessments on the basis of appropriate and accurate information on the consumer’s income, expenditures related to the cancellation, termination and early payment methods, etc. The directive also introduces provisions related to new financial products such as “buy now, pay later” schemes, as well as related to the technological advances in the credit market. As far as its transposition in Bulgaria is concerned, the directive must be implemented into national law by 20 November 2025. However, it enters into force and shall be applied after 26 November 2026.
Directive (EU) 2023/2673
The regulation outlined in the directive focuses on financial services contracts concluded from distance. It amends the currently applicable Directive 2011/83/EU and repeals Directive 2002/65/EC. The key aim is to modernise consumer protection in the context of digitalisation and technological advancements, particularly for distance contracts involving financial services. The regulation addresses the rights of consumers related to pre-contractual information, the right of withdrawal, and ensures online fairness in automated financial transactions. Considering the evolving role of the banks when it comes to provision of distant financial services, the directive will have a direct impact on the local regulatory environment. Regarding transposition, Bulgaria and other EU member states are required to adopt and publish the necessary laws, regulations, and administrative provisions by 19 December 2025. These measures must be applied starting from 19 June 2026.
Greenwashing and Green Claims
With the adoption on 13 June 2024, of Directive (EU) 2024/1760, (known as the “Greenwashing Directive”), and the upcoming Green Claims Directive (soon to be adopted by the European Parliament), the ESG framework in the European Union will be significantly strengthened. Currently there are no relevant draft bills in the legislative pipeline.
These directives aim to prevent misleading environmental claims by requiring companies (including banks) to ensure that any sustainability-related statements are accurate, clear, and substantiated by evidence. As a result, businesses will be subject to stricter regulations on how they communicate their environmental impact, promoting greater transparency and accountability.
Regulation (EU) 2024/1620 (Anti-Money Laundering)
According to this regulation an Authority for Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) authority will be established. Its purpose is to ensure more uniform and effective high-quality supervision and co-operation Union-wide in the fight against money laundering and terrorist financing. It will have the power to directly supervise high-risk entities in the financial sector (including banks), co-ordinate with national regulators, and contribute to the harmonisation of practices in the detection of suspicious transactions or activities by assisting Financial Intelligence Units (FIUs). Moreover, the regulation aims to support and co-ordinate the exchange of information between FIUs and between FIUs and other competent authorities.
Key features of the regulation.
The regulation, along with associated directives, will form the legal basis for the AML/CFT framework in the EU, with transposition into national law, including Bulgaria, by a set deadline, which is supposed to be 1 July 2025.
Directive (EU) 2024/1640 (Anti-Money Laundering)
This Directive addresses mechanisms to prevent the use of the financial system for money laundering and terrorist financing at a national level.
It amends earlier directives and regulations to strengthen the AML/CFT framework in the EU. It emphasises the importance of transparency via the registers for bank accounts and electronic data retrieval systems, the role of central registers in tracking beneficial ownership and the interconnection of various automated mechanisms for monitoring financial transactions – like the intended requirements for the establishment of a Single Point of Access to information on real estate property in each member state for access by the relevant competent authorities. Naturally, this piece of legislation, along with the above-described Regulation (EU) 2024/1620 are of utmost importance for the banking sector, since the credit institutions are probably the most important gate-keepers when it comes to infiltration of the economy with illicit financial flows.
Generally, the directive is to be transposed into national laws by 10 June 2027, in all EU member states, including Bulgaria, whereas the deadline for certain aspects of the directive may differ – the changes to the central registers in tracking the beneficial ownership and those for bank accounts and electronic data retrieval systems by 10 July 2026, the Single Point of Access to information on real estate property by 10 July 2029, etc.
Iztok District
13B, Tintyava Street
Floor 6
1113 Sofia
Bulgaria
+359 2 971 3935
+359 2 971 1191
lawyers@penkov-markov.eu www.penkov-markov.eu/en