Fintech 2024 Comparisons

The year 2023 in the fintech industry in Slovenia was, on the one hand, marked by significant regulatory changes in the EU but, on the other hand, a rapid development of the industry was witnessed. One of key regulatory changes in 2023 was the adoption of the Markets in Crypto Assets Regulation (MiCA), which has established a uniform regulatory framework for crypto-assets, their issuers and service providers. It will ensure the integrity of the crypto-asset market and foster innovation as well as boost the development of the industry and consumer confidence. However, it does not regulate mining, DeFI, NFT, free crypto tokens and minor crypto holdings and it also does not change the existing legal framework of crypto tokens, qualified ad financial instruments.

The EU also adopted the Regulation on digital operational resilience for the financial sector (DORA) to strengthen the common level of digital operational resilience. The regulation will become effective in 2025. It also sets out the rules of contractual arrangements between information and communication technology third-party service providers and financial entities.

Regarding the rapid development of distributed ledger technology (DLT) which enables safer, quicker and cheaper transactions, the Commission continued with the co-ordination of numerous DLT-related activities. In March 2023, Regulation (EU) 2022/858 on a pilot regime for market infrastructures based on distributed ledger technology entered into force. It is expected that the regulation will increase the number of innovative fintech products and boost the innovation potential of the EU fintech industry.

The EU also pays special attention to promoting cybersecurity as it ensures the safety and stability of the financial system as a whole. To achieve a high common level of cybersecurity, the EU adopted the NIS 2 Directive on measures for a high common level of cybersecurity; the directive must be implemented in national regulation by 17 October 2024.

In Slovenia, the government adopted the Strategy for the development of the capital market in Slovenia by 2030. The plan is to establish a regulatory sandbox for the use of digital technologies, which will support the development of innovative fintech technologies and products.

The Bank of Slovenia continues to show support for the development of the fintech industry in Slovenia. Its Fintech Innovation Hub (FIH) still provides a platform for information on innovative financial business models and on the regulatory framework. FIH helps the fintech providers regarding crypto-assets, crowdfunding, regtech, blockchain and distributed ledger technology (DLT) solutions, alternative payment methods, etc.

It is predicted that the recent changes of the EU legislative framework will boost further development of the fintech industry while simultaneously protecting consumers and financial stability. However, as the existing EU regulatory framework for fintech services and providers is extensive and complicated, the challenge for the fintech industry remains how to ensure compliance and how to enter the market with new and innovative products.

Slovenia is one of the more innovative countries in fintech services, with business models in alternative payment methods, crypto-asset services, blockchain and DLT applications, crowdfunding and regulatory technology (regtech) dominating.

While fintech companies were initially seen as competitors or disruptors of the traditional financial industry (including banks and insurance companies), today the Slovenian banking space is witnessing co-operation between them. Fintech companies working with established players offer a wide range of services including data analytics, wealth management and open banking.

The regulatory regime applicable to fintech players depends on the business model and activities of the company. The following describes the main legislation applicable to typical fintech activities of companies registered in Slovenia, but the applicable regulations should be assessed on a case-by-case basis.

• Payment Services, Services for Issuing Electronic Money and Payment Systems Act (ZPLaSSIED) – for companies providing payment services or electronic money issuing services; the supervisory authority is the Bank of Slovenia.
• Market in Financial Instruments Act (ZTFI-1) – if the activities involve investments or securities or if the assets could be classified as financial instruments; the supervisory authority is the Bank of Slovenia.
• Investment Funds and Management Companies Act (ZISDU-3), Alternative Investment Fund Managers Act (ZUAIS), Act on Form of Alternative Investment Funds (ZOAIS) – Fundtech – companies acting as investment funds or investment fund managers may be subject to more than one regulation in Slovenia and, depending on the circumstances, may be subject to supervision by the Securities Market Agency.
• Banking Act (ZBan-3) – if the business involves activities such as deposit taking or is an activity carried out by banks, the supervisor is the Bank of Slovenia.
• Consumer Credit Act (ZPotK-2), Consumer Protection Act (ZVPot-1) – if the business involves offering products or services to consumers; the supervisory authority is the Market Inspectorate.
• Insurance Act (ZZavar-1) – Insurtech – companies providing insurance services are subject to the Insurance Act and the Insurance Agency; the supervisory authority is the Insurance Agency.
• Personal Data Protection Act (ZVOP-2) – for all questions related to data protection.
• Prevention of Money Laundering and Terrorist Financing Act (ZPPDFT-2) – Blockchain and Virtual Assets: companies providing virtual asset services must register with the Office for Money Laundering Prevention and are subject to the obligations set out in the law.

Most of the above laws are accompanied by various technical standards, regulations, circulars and guidelines issued by the competent authorities, which must also be complied with. In addition, relevant European legislation and directives (eg, Prospectus Regulation, MiCA, DORA, DLT – pilot framework) must also be taken into account.

The payment models that industry players can use to charge customers vary mainly according to the service provided by the company and the type of customer. For some players and services, particularly those that are regulated, certain pre-contractual obligations (including disclosure of costs) must be disclosed.

There are currently (before MiCA takes effect) no regulations specifically tailored to the fintech industry. Unlike banks and other regulated entities, fintech companies are not automatically subject to any legislation other than anti-money laundering legislation.

However, given the size and business model of fintech companies, certain rules applicable to legacy players would typically not apply to fintech companies. Furthermore, where a regulated institution delegates tasks to an unregulated fintech company, the latter must implicitly comply with the range of obligations of a regulated institution. A regulated institution that outsources services must ensure compliance under the outsourcing agreement. However, if the fintech company does not provide the regulated services as its service to the client and this is sufficiently clear to the client, the fintech company itself does not need a separate licence.

The situation is likely to change in the context of future EU and Slovenian legislation. The Crowdfunding Enforcement Act, MiCA, DORA and the DLT pilot framework point in this direction.

Slovenia currently does not have a regulatory sandbox. Based on the Strategy for the Development of the Capital Market in Slovenia for the period 2023–2030, adopted by the government, a regulatory sandbox for the use of digital technologies is in the process of being set up. In 2019, Slovenia, under the leadership of the Ministry of Economy and Technology, which is in charge of the regulatory sandbox, launched a national test infrastructure based on the SI-Chain blockchain technology, which is expected to enable the testing and implementation of existing and new applications based on this technology for the public and private sectors. The SI-Chain blockchain technology will be used in the public and private sectors, as well as in the private sector.

Fintech companies may be supervised by several regulators in Slovenia, of which the following are the most relevant.

• Bank of Slovenia – The Bank of Slovenia is the competent authority for the prudential supervision of credit institutions, payment institutions, electronic money institutions, etc. In addition, the Bank of Slovenia is also the competent authority to ensure that such supervised entities comply with the laws protecting financial consumers and with anti-money laundering laws.
• The Securities Market Agency – The Securities Market Agency is responsible for the supervision of brokerage firms, banks providing investment business and services, management companies, alternative investment fund managers, investment funds, mutual pension funds, public companies, and public limited companies to which the Takeover Act applies.
• The Insurance Supervision Agency – The Insurance Supervision Agency is the competent supervisory authority for the insurance sector in Slovenia, which includes mainly insurance undertakings, reinsurance undertakings, certain pension funds, insurance professionals and insurance intermediaries.
• The Information Commissioner – The Information Commissioner is the national authority to verify the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights concerning data protection and privacy.
• European Regulators – In addition to national regulators, technical guidelines issued by the European Banking Authority (EBA), the European Securities Market Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) apply in Slovenia. Significant credit institutions incorporated in Slovenia are directly supervised by the European Central Bank (ECB).

Regulated functions can be outsourced. When outsourcing critical or important functions, the European Banking Authority (EBA’s) Guidelines on outsourcing arrangements (“EBA’s Guidelines”) must be followed by all financial institutions. In 2019, the competent authority (Bank of Slovenia) determined the application of EBA’s Guidelines to:

• banks and savings banks authorised to provide banking services in the Republic of Slovenia;
• payment institutions which have obtained a licence to provide payment services as a payment institution;
• electronic money issuance companies, authorised to issue electronic money; and
• the Bank of Slovenia.

EBA’s Guidelines specify the critical and important functions and set out the key requirements for internal governance and risk management. EBA’s Guidelines oblige the management body of an institution or payment institution to approve a written outsourcing policy and ensure its implementation. EBA’ s Guidelines also set out specific requirements regarding outsourcing agreements (eg, clear identification of the outsourced function, agreed service levels which should include quantitative and qualitative performance targets for the outsourced function, reporting obligations, insurance, implementation of business contingency plans, duty to co-operate with the competent authority, sub-outsourcing, security of data and systems, access, information and audit rights).

In 2021, the European Securities and Markets Authority (ESMA) published Guidelines on outsourcing to cloud service providers which (among others) apply to alternative investment fund managers (AIFMs), depositaries of alternative investment funds (AIFs), undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of UCITS, investment firms and credit institutions. The ESMA Guidelines require that pre-outsourcing analysis and due diligence are performed prior to entering any outsourcing agreement; they also set out the rules on key contractual elements, information security, access and audit rights and sub-outsourcing).

These rules may change in 2025 on the implementation of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), which sets new rules for outsourcing in the financial sector.

Even though there are no specific rules on gatekeeper liability in force in Slovenia, fintech providers may have responsibility for activities on their platform, based on the type of platform and services they perform. If their services are subject to the AML/CFT legislation, they must perform client due diligence and report any suspicious or unlawful transactions.

The Bank of Slovenia and the Securities Market Agency (ATVP) as regulators oversee the financial sector in Slovenia. Enforcement actions in this sector include fines, licence revocations or criminal proceedings against banks and financial institutions.

To the writers’ knowledge, there have been no specific enforcement actions against fintech providers in Slovenia. However, the regulators may open an investigation where the services provided by a fintech firm (eg, investment advice) fall within the scope of regulated financial (investment) services.

All fintech providers must also abide by other non-financial services regulations that apply to legacy players as well. Such regulations are consumer protection legislation, data protection (GDPR), competition and intellectual property law.

AML/CFT laws apply to fintech firms that are engaged in regulated activities (banks, payment institutions, investment funds, electronic money issuance companies, etc).

Fintech firms must also follow the Digital Services Act (DSA), which applies to all platforms (including intermediary services and online platforms) from 7 February 2024 and Regulation (EU) 2022/2554, which sets out the rules on digital operational resilience for the financial sector (DORA).

In future, fintech firms will also have to abide by the European Data Act (applicable from September 2025), which attempts to ensure fairness in the data economy by creating a competitive data market and offering legal clarity regarding the use of certain types of data.

Some industry participants are required by law to have their annual reports (financial statements) audited by a certified auditor. On top of that, the activities of industry participants are also subject to review by several other authorities, such as tax authorities, the AML/CFT authorities, the Market Inspectorate (eg, regarding compliance with consumer protection rules), the Information Commissioner, the Public Agency for the Protection of Competition, etc.

Industry participants may offer regulated and unregulated products and services. They often operate through the same legal entity that offers both regulated and unregulated products and services. Such integration allows fintech providers to leverage synergies, streamline operations, and provide a seamless user experience across different offerings.

The sanctions rules bind fintechs that provide certain services covered by restrictive measures listed to the countries, institutions or individuals concerned by the sanctions measures. They must fully comply with international sanctions regimes imposed by the European Union (EU), United Nations (UN) and other relevant authorities. As a consequence, they may be required to conduct enhanced due diligence and adopt additional risk assessment measures.       

Regardless of the adopted business models, the regulatory framework of robo-advisers differs, depending on the asset class for which robo-advisers provide their services.

If robo-advisers provide any sort of investment services regarding financial instruments (eg, if a robo-adviser provides investment advice), they could fall within the scope of the Market of Financial Instruments Act that implemented MiFID II. As investment services may only be carried out by a licensed broker-dealer firm, an investment firm, a bank or a special financial institution, such robo-adviser would need to meet additional conditions.

Robo-advisers may also fall within the scope of fund managers if they perform portfolio management services (please see 6.1 Regulation of Fund Administrators).

Legacy players have not yet widely implemented solutions of robo-advisers in Slovenia. However, as the industry has seen a rapid development recently, implementation cases are expected within a year or two.

Under the MiFID II as implemented in the Market in Financial Instruments Act, the “best execution” principle applies to ensure that investment firms execute orders on terms that are most favourable to the client. In case if robo-adviser falls within the scope of MiFID II, it must comply with this requirement and adapt its operating principle accordingly to meet the requirements.

Their advantage, however, is that they can make the best possible use of the technology to comply with the best execution principle. Its algorithms must therefore comply with the regulatory conditions and robo-adviser’s internal policies, which requires a significant degree of coordination between the company’s IT and compliance functions. If a robo-adviser does not act according to the “best execution” principle (eg, as a result of software malfunction, faulty software code, temporary disruptions), it may be subject to liability.

There are significant differences in the regulation of loans to individuals and loans granted to other entities. While loans granted to all other entities (SMEs, legal persons) are subject to the general rules of the law of obligations, thus allowing greater freedom in the content of the loan agreement, consumer loans are subject to certain restrictions laid down in the Consumer Credit Act to protect consumers from unfair business practices and ensure responsible lending.

The Consumer Credit Act lays down rules on the advertising of consumer credit, and the obligation to provide free pre-information on the credit agreement, which enables the consumer to compare different offers. The act also regulates the compulsory content of the credit agreement, indexes or reference interest rates, changes in the credit interest rate and charges, cancellation and termination of the credit agreement, early repayment and assignment of claims, and the maximum permissible effective interest rate. A creditor must obtain a licence to provide consumer credit services before starting to provide consumer credit services (subject to certain exceptions).

All lenders (regardless of whether it is an online lender or not) must obtain a consumer credit licence before granting loans to consumers (certain exceptions apply, eg, for credit institutions).

The process of underwriting is highly regulated. Online lenders are subject to the same regulations regarding the underwriting process as other loan providers. The underwriting process varies depending on whether the borrower is a consumer or not.

Before concluding a credit agreement with a consumer, a lender must assess the consumer’s creditworthiness based on relevant information on the consumer’s income and expenditure or assets. The lender obtains information on the consumer’s indebtedness from personal databases held by other controllers. The underwriting process relies on SISBON, a system for exchanging information on the indebtedness of consumers, which was set up to manage the credit risk of banks, savings banks and other creditors to ensure responsible lending and prevent over-indebtedness of consumers.

Online lenders in Slovenia do not publicly disclose the sources of the funds for loans. However, it is well known that most of them use lender-raised funds and deposits as their main source of funds. Taking deposits to finance loans is limited to banks. With the further development of online lending in Slovenia, it is expected that providers that finance loans through securitisation and peer-to-peer lending will also enter the market.

According to the writers’ information, online loan syndication is not yet present in Slovenia.

Payment processors may either choose existing payment rails or create and implement new ones based on their strategic objectives, technological capabilities and market dynamics. Implementation of new payment rails is subject to compliance with relevant regulations and licensing requirements. For all (existing and new) payment rails, safe and secure operations must be ensured in accordance with the regulations.

Cross-border payments and remittances are governed by several regulations. The Cross-Border Payments Regulation (CBPR) ensures that cross-border payments in the EU are subject to the same charges as domestic payments. The SEPA Regulation enables payments in euros to be made within the EU and participating countries under the same basic conditions, regardless of geographical location. In Slovenia, PSD2 was implemented in the Payment Services, Services for Issuing Electronic Money and Payment Systems Act.

Investment funds in Slovenian legislation are divided into undertakings for collective investment (UCITS) and alternative investment funds (AIFs). Administrators of both types of funds are regulated. The regulation of fund administrators differs depending on the type of fund.

Fund administrators of AIFs are regulated by the Alternative Investment Fund Managers Act. An AIF administrator can only be a legal person who has obtained a valid licence from the Securities Market Agency (ATVP) to provide those services. An AIF administrator provides its services based on a contract with the AIF management or a contract with the AIF itself. Fund administrators must report annually to the Agency.

The AIF administrators must establish and implement a sound and reliable management system, using the appropriate human and technical resources necessary for the proper provision of administrative services, considering the administrative services provided, the nature and the size of the AIF assets for which the administrative services are provided. The AIF administrator must maintain and operate effective organisational and administrative arrangements to take all reasonable steps to identify, prevent, manage and monitor conflicts of interest so as not to adversely affect the interests of the AIFs for which it provides administrative services or their investors. The AIF administrator must establish and implement appropriate risk management systems to adequately identify, measure, manage and monitor the risks relevant to the conduct of its business.

Administrators of UCITS are regulated by the Investment Funds and Management Companies Act. UCITS may only be managed by a management company with a licence issued by a competent authority (Securities Market Agency – ATVP). The law lays down rules on the activities of the management company, its share capital, shareholders, the management and supervisory bodies, the rules of conduct for the provision of services by the management company and its capital adequacy.

Contractual terms that fund advisers seek to impose on fund administrators to assure performance and accuracy are subject to industry custom and general rules of contract law. Such relationships are usually governed by a service agreement that sets out in detail the rights and obligations of both parties. Such agreements usually include liability clauses that set out the responsibilities of the fund administrator, including limitations of liability for errors or omissions. Due to the sensitive nature of the financial data concerned, contractual provisions on confidentiality, data protection and information security are essential. The contract may describe measures to protect confidential information and comply with data protection regulations.

Contractual provisions to ensure efficiency and accuracy are usually included in Service Level Agreements (SLAs), which describe the specific services to be provided by the fund manager, together with performance criteria, response times and quality standards. These agreements help to ensure that the fund administrator provides services in a timely and accurate manner.

Under MiFIR/MiFID II rules, as transposed into national law, trading venues in Slovenia can be divided into three categories:

• organised markets;
• multilateral trading facilities (MTFs); and
• organised trading facilities (OTFs).

Operators of an organised market, an MTF or an OTF are subject to the authorisation and supervision of the Securities Market Agency. If the financial instruments are issued through DLT technology, the company operating the platform could apply for a licence under the EU DLT Pilot Regime Regulation.

Crowdfunding platforms can operate by the EU Regulation on crowdfunding services. However, trading on the secondary market of financial instruments issued in the context of crowdfunding offers is possible only to a limited extent.

Invoice trading platforms are not subject to the MiFID2 framework but could require a specific licence to operate under specific circumstances.

In addition, once in effect, the adopted EU regulation on markets in crypto-assets (MiCA) will provide a specific legal framework applicable to crypto-asset service providers, including crypto-asset trading platforms, requiring these service providers to be authorised by the competent authority.

Different asset classes falling under the scope of financial instruments are largely subject to the same regulatory regime. Crypto-assets currently seem to follow this approach to the extent that they qualify as financial instruments. For now, the existing financial services laws will apply to such crypto-assets. Also, cryptocurrencies that qualify as e-money may fall under the applicable e-money laws.

Cryptocurrencies have not yet led to a significant change in national regulation. Except for the registration with the Anti-Money Laundering Office, cryptocurrencies fall into the existing legal framework. This situation is, however, expected to change when the adopted EU regulation on MiCA comes into effect, introducing a prudential regime for cryptocurrency exchanges.

Listing standards vary depending on the trading venue and the type of financial instrument. There are no specific listing standards that apply to fintech marketplaces or trading platforms. Cryptocurrencies are not subject to the control of the Securities Market Agency to the extent that the services do not fall within a regulated area.

Following the MiFID II/MiFIR framework, the Market in Financial Instruments Act requires that investment firms and credit institutions that are authorised to execute orders on behalf of their clients must implement procedures and arrangements that provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or their trading interests. Trading platforms that operate under a MiFID II licence must carry out their services by the rules set out under the MiFID II. Platforms that are not subject to the MiFID II regulatory regime are not subject to any specific regulations in terms of order handling rules at the moment.

The emergence of peer-to-peer trading platforms is changing market conditions for both traditional and fintech players. However, peer-to-peer trading platforms subject to MiFID II must operate following the same rules that apply to traditional market players.

The application of MiFID II best execution rules to peer-to-peer trading platforms depends on the role played by the platform in order execution and the qualification of the services offered to its clients. If a platform operator is subject to a best execution obligation, it must take appropriate measures to ensure that its clients receive the best possible execution of their orders, regardless of the trading venue. When considering how to execute an order, platform operators should take into account several factors, which should be reflected in the order execution policy approved by the firm operating the trading platform.

The payment of such compensation is subject to the limits of the incentive regime under MiFID II. The firm receiving the payment must demonstrate that the compensation improves the quality of the service provided to clients, eg, because the trade execution route would otherwise not be available. Payments for order flow are therefore only permitted if they pass the test to qualify as permissible inducements under the MiFID II rules.

The basic legal framework to preserve market integrity is laid out in the Market Abuse Regulation (MAR). Compliance with some transparency obligations is also required.

MiFID II and the Market of Financial Instruments Act regulate high-frequency and algorithmic trading with financial instruments in Slovenia. However, due to its relatively underdeveloped and shallow capital market, high-frequency algorithmic trading in Slovenia (Ljubljana Stock Exchange) is virtually non-existent. Asset classes other than financial instruments are not regulated.

In terms of the Market of Financial Instruments Act, high-frequency algorithmic trading is an investment service. Investment services may only be carried out by a licensed broker-dealer firm, an investment firm, a bank or a special financial institution, which means that only these subjects are allowed to engage in high-frequency algorithmic trading.

A broker-dealer firm using high-frequency algorithmic trading shall have effective systems and risk controls appropriate to its activities to ensure that its trading systems are resilient and sufficiently robust, have appropriate trading thresholds and limits, prevent the sending of erroneous orders and prevent activity that could harm or damage the markets.

A broker-dealer firm using a high-frequency algorithmic trading technique, in accordance with the Delegated Regulations 2017/578/EU and 2017/589/EU, shall keep accurate and time-disaggregated data on all orders placed and cancelled, orders executed and price quotes on trading venues, and shall make them available to the competent authority upon request.

Under Slovenian legislation, a market maker is a person who continuously participates in the market for financial instruments and is willing to deal on its own account by buying and selling financial instruments against its own capital at prices it determines. Market makers operating in a principal capacity are subject to certain registration and/or licence requirements under the Market of Financial Instruments Act as their market maker activity falls within the scope of investment services.

Market makers must report their activities to the competent authority in certain cases. They are also obliged to enter into a contract with the stock exchange, which must set forth the market-making strategy of the exchange market and ensure that there are sufficient market makers. The contract shall specify the obligations of the market maker with respect to the provision of liquidity and the incentives in the form of discounts or other benefits to be received by the market maker for the provision of continued liquidity.

The Market of Financial Instruments Act does not distinguish between funds and dealers engaged in high-frequency algorithmic trading. The main difference between both business models is the fact that investment funds trade for their own account, while dealers trade for the account of their clients.

Programmers who develop and create trading algorithms and other electronic trading tools are not directly regulated. However, the investment firms that use their products must ensure that trading algorithms and other electronic trading tools comply with all regulatory requirements.

DeFi is currently not regulated in Slovenia.

Financial research platforms and participants are not subject to registration unless they provide one or more investment services or transactions relating to financial instruments, as defined in the Market of Financial Instruments Act (subject to certain exceptions).

For example, if a platform or a participant provides personal recommendations to a client on one or more transactions relating to financial instruments (either at the client’s request or at the platform’s or participant’s own initiative) that qualifies as investment advice which is an investment service.

In Slovenia, investment services may only be carried out by a licensed broker-dealer firm, an investment firm, a bank or a special financial institution. So if financial research platforms or their participants provide one or more investment services they are required to register and/or obtain a valid licence.

Disseminating information which gives false or misleading signals as to the supply of, demand for or price of a financial instrument, a related spot commodity contract or an auctioned product, where the person who made the dissemination knew, or ought to have known, that the information was false or misleading is an act of market manipulation under Article 12 of the Regulation (EU) No 596/2014. Market manipulation is prohibited and may have damages implications.

If acts of market manipulation are carried out with the purpose of obtaining an unlawful financial advantage, such acts constitute the offence of market abuse in financial instruments under the Slovenian Criminal Code.

Pump and dump schemes, as well as spreading of inside information, qualify as acts of market manipulation which is prohibited and punishable.

As financial research platforms are not regulated in Slovenia, there is no regulatory framework regarding the supervision (curation) of posts by third parties. However, such platforms usually implement various measures to prevent any form of unacceptable behaviour, eg, user registration and verification protocols, community guidelines, codes of conduct, moderation and content monitoring, and reporting mechanisms, which all help mitigate risks and enhance investor protection.

A distributor of insurance products in Slovenia can only be a licensed insurance agent, a licensed insurance intermediary, a licensed insurance agency company and a licensed insurance intermediary company, a supplementary insurance agent, a bank and an insurance company.

Although insurtech providers are not specifically regulated in Slovenia, they are also subject to regulation and restrictions related to insurance products and data protection.

Insurance companies in Slovenia are subject to strict regulatory requirements. Among them is the requirement to manage various risks, including insurance risk, which is the risk of loss or adverse change in the value of insurance liabilities due to inadequate premiums and inappropriate assumptions taken into account in the calculation of insurance reserves. In order to mitigate that risk, the industry adopted a number of common practices and principles (some of which are required by regulations).

Industry participants pay special attention to underwriting processes as they are well aware that it is an integral part of their risk management. They all implement certain limits for admission to insurance and a complex system of authorisations. They also use a range of actuarial techniques to manage the risks.

Among the most important underwriting processes is risk assessment aimed at evaluating the risks associated with insuring a particular person or object, which is usually accompanied by strict underwriting guidelines or standards adopted by the insurance company that set forth the criteria for acceptable risk parameters.

Different types of insurance are treated differently by industry participants and regulators due to variations in product characteristics, associated risks, regulatory framework and risk profile.

As a general rule, an insurance company may offer either life insurance products or property insurance products but cannot offer both types of insurance products (certain exceptions apply). For life and property insurance, different risk assessment modules are prescribed by law, reflecting the risks associated with a certain type of insurance.

Regtech providers are not regulated in Slovenia and there are currently no legislatory initiatives to regulate this area. However, as the regtech providers operate within the complex regulatory frameworks of the financial sector they may be subject to different regulations depending on the nature of their activities and the specific services they offer.

If a regtech provider performs a process, service or activity that a bank would otherwise perform itself, the Bank of Slovenia may, under certain conditions (eg, in the event of a breach of regulations), prohibit or restrict the bank from entering into individual transactions or transactions of a certain type and require a gradual reduction in the volume of transactions entered into with the regtech provider.

Should a regtech provider engage in any of the regulated activities (eg, if they provide investment advice, offer payment services or act as a financial intermediary), they need to register or obtain a licence. Regtech providers may also be subject to non-financial regulations (eg, data protection – GDPR).

To ensure that regtech providers’ solutions meet financial services firms’ performance and accuracy expectations, they usually regulate the matter contractually. As regtech providers are not regulated in Slovenia, such contractual terms are negotiated on a case-by-case level as financial services providers seek to ensure compliance with regulatory requirements, protect personal and other sensitive data and mitigate risks.

To achieve that, financial services providers usually conclude Service Level Agreements (SLAs) that define performance metrics and required service levels (KPIs), response times and data accuracy. They also include data security and confidentiality provisions and indemnification and liability clauses to protect the financial services providers against potential losses, damages or liabilities that may arise from the regtech provider’s breach of contract, negligence or misconduct.

SLAs often regulate intellectual property rights as financial services providers seek clarity on ownership rights and intellectual property protections related to the proposed regtech solution (such clauses usually specify ownership of technology, licensing arrangements, and restrictions on the use or disclosure of confidential information).

Initially, traditional players were not eager to implement blockchain in their services/product offerings. However, with time the situation has changed and traditional players are considering using blockchain-based services or platforms differently. Several banks consider the possibility of using blockchain for cross-border payments and remittances, and blockchain-based digital identity solutions are being developed to improve customer onboarding and identity verification processes. Additionally, the Slovenian Ministry of Finance issued the Capital Market Development Strategy to establish a single platform for investing in SMEs, and raising capital for SMEs, ensuring efficient, easy, safe and transparent trading.

While crypto-assets are not generally defined in Slovenian law, the Slovenian AML legislation provides a specific definition of “virtual currencies” to identify entities subject to Slovenian AML obligations. Therefore, the actors need to register with the Office for Money Laundering Prevention.

The Securities Agency published its view a while ago that ICOs (initial coin offerings) cannot constitute a public offering of (transferable) securities to the public, as the tokens cannot be classified as transferable securities. The Agency has also published a warning about purchasing cryptocurrencies as very risky investments. On the other hand, the Agency has set up a platform – the Financial Innovation Hub – to monitor technological innovations and new approaches, linking ideas to financial market regulation and allowing interested stakeholders, by the legislation, to provide their views.

Similarly, the Bank of Slovenia (ie, the regulator for credit institutions, payment systems and institutions, and electronic money companies) has established a single point for the exchange of information related to innovative business models and for clarification of regulatory requirements in all areas under the Bank of Slovenia’s competence. It is intended for market operators who wish to offer financial technology (fintech) based solutions on the market and are interested in which regulatory requirements they will have to comply with if they provide services in Slovenia or within the European Economic Area. In addition, the Bank of Slovenia has published a Q&A on cryptocurrencies on its website, where it explains the legal nature of cryptocurrencies and the risks associated with them.

Currently, in national legislation cryptocurrencies are only regulated under the Prevention of Money Laundering and Terrorist Financing Act. The Bank of Slovenia (ie, the banking regulator and the regulator of payment systems and institutions and electronic money companies) has published on its website that crypto-assets can be defined as a digital representation of value or rights that can be electronically transferred and stored using distributed ledger technology or similar technology. Crypto-assets are a form of digital record of value that is not issued by (and therefore not guaranteed by) a central bank or other government authority. They can be electronically transferred, stored and exchanged, and are not necessarily linked to a conventional or legal (fiat) currency but are accepted as a medium of exchange by natural and legal persons. In addition to the term crypto-assets, the terms crypto-metals, virtual currencies, cryptocurrencies and digital currencies are also used to refer to the same phenomenon. Nevertheless, cryptocurrencies are neither legal currencies nor legal tender issued by central banks and other public authorities.

Depending on the nature of the assets, the issuer may, inter alia, be subject to:

• the Financial Instruments Markets Act;
• the Prospectus Regulation;
• the Anti-Money Laundering Act;
• the Market Abuse Regulation; and/or
• the MiFID II framework.

It should be noted, however, that according to the Securities Agency’s interpretation, blockchain assets such as coins are not likely to be classified as financial instruments and therefore do not fall under its supervision.

Currently, only virtual currency service providers (with a registered office or branch in Slovenia) are regulated under the Slovenian Prevention of Money Laundering and Terrorist Financing Act and must register with the Office for Money Laundering Prevention before commencing business.

Notwithstanding the above, it should be noted that lending is regulated as a financial service under the Slovenian Banking Act, which applies only to financial institutions. In addition, the Consumer Protection Act applies to lending to consumers. Therefore, licensing requirements could be triggered under Slovenian law for a non-financial institution if the lending of digital assets would be considered as lending (eg, e-money lending) and would fall under the scope of the Consumer Protection Act.

A licensing requirement could also be triggered if any activity carried out on a decentralised financial platform (DeFi) would fall within the scope of payment services.

In one of its non-binding opinions, the Securities Agency stated that the technology that enables investment in distributed finance is still in development and untested, while the platform providers that enable this type of business are not supervised entities.

There is no specific legal framework under Slovenian law for investment funds investing in digital assets. Investment funds, regardless of their activity, are regulated by various laws, including the Act on Alternative Investment Fund Managers and the Act on Forms of Alternative Investment Funds. General EU legislation on UCITS and AIFM also applies. The Prospectus Regulation is also fully applicable in Slovenia and may be applied under certain conditions.

Where the services provided by the fund meet the criteria in Anti-Money Laundering Act, the fund will need to register as a virtual asset service provider.

While crypto-assets are not generally defined in Slovenian law, the Slovenian AML legislation provides a specific definition of “virtual currencies” to identify entities subject to Slovenian AML obligations. However, the above definitions do not cover several blockchain assets, such as asset tokens, investment or security tokens and NFTs.

Currently, only virtual currency service providers (with a registered office or branch in Slovenia) are regulated under the Slovenian Prevention of Money Laundering and Terrorist Financing Act and are required to register with the Office for Money Laundering Prevention before commencing business.

A licensing requirement could also be triggered if an activity carried out on a decentralised financial platform (DeFi) would fall within the scope of payment services. Such activities may only be carried out by a licensed payment service provider in the course of its business.

Notwithstanding the above, it should be noted that, under certain conditions, lending is a regulated activity under the Slovenian Banking Act or Consumer Credit Act and may trigger the need to obtain a licence.

Despite the popularity (eg, Slovenia issued a token at Expo), there are no specific provisions governing NFTs or related activities under Slovenian law. However, the general principles of consumer protection, competition, marketing, the General Data Protection Regulation (GDPR), protection of intellectual property rights, etc may apply.       

PSD2 has had a remarkable impact on the development of open banking in Slovenia, establishing a regulatory framework and fostering greater competition and innovation in the financial sector. PSD2 also granted access to payment systems and accounts to third-party providers. At the same time, it has ensured that state-of-the-art security mechanisms are embedded in processing systems, which on the one hand ensures greater security of customers’ personal and financial data and on the other hand strengthens their trust in open banking providers. All this has enabled new providers such as fintech start-ups to develop innovative products and services. Open banking allowed the consumers to take full advantage of advanced payment and banking solutions.

Generally, banks and technology providers in Slovenia follow global trends. Both GDPR and PSD2 mandate strict data privacy and security measures aimed at ensuring consumers’ personal and financial data are protected. Any transfer of personal data about a consumer between a bank and a third party provider requires the consumer’s consent.

Banks and technology providers are encompassed by a multi-faceted approach to addressing data privacy issues and data security concerns, which includes regulatory compliance (GDPR, PSD2), technological innovation and customer education.

Technology providers implemented secure APIs for data sharing which pay special attention to encryption and authentication mechanisms aimed at protecting personal and other information transmitted between banks and third-party providers. Banks and technology providers also use data encryption and have incident response plans in place that help them promptly address and mitigate data breaches or other security threats. Special attention is given to data minimisation by sharing only necessary information, required for a specific transaction, which limits the exposure to personal and other sensitive information. The question of liability for damages in the event of a data breach (bank or third-party provider) has been raised, but has not yet been answered by case law.

Fraud in financial services and fintech takes various forms and involves different elements. Among the most common types of fraud are money laundering, identity theft, payment card fraud, phishing, investment scams and data breaches. Money laundering, misuse of personal data and misuse of non-cash means of payment (including card-based and electronic-based) as well as the use of counterfeit non-cash means of payment are criminal offences under the Criminal Code. Other types of fraud, however, most often have the elements of the criminal offence of fraud and could be prosecuted on this basis.

Despite the rapid development of the fintech and financial sector, new criminal offences that would apply to the new forms of fraud specific to and emerging in these sectors have not yet been implemented in Slovenian legislation. There are currently no legislative initiatives in this area.

While regulators in Slovenia closely monitor all types of fraud in the fintech and financial sector, they mainly focus on:

• AML and CFT (mainly carried out by the Office for the Prevention of Money Laundering);
• data privacy breaches;
• cybersecurity breaches; and
• payment card fraud.

Recently, regulators are carrying out a number of campaigns to raise people’s awareness so that they can recognise the risks of fraud in the financial services sector and better protect themselves.