Fintech 2021

Last Updated March 18, 2021

Bosnia & Herzegovina

Law and Practice


BH Legal – Law Office Mirna Milanović-Lalić is a full-service commercial law practice with market-leading expertise in advising and representing both multinational and local companies, in all aspects of commercial law. Lawyers are experienced in the following practices: M&A, banking and finance, projects and infrastructure, corporate, commercial, employment, tax, real estate and non-profits. The firm’s team specialises in commercial and civil litigation and has assisted several financial institutions since its incorporation in matters involving financing, insurance and regulatory issues. The firm’s clients include several IT market leaders, for which they provide guidance and representation in complex deals involving financing, privacy, and regulatory.

Bosnia and Herzegovina (BiH) is composed of the Federation of Bosnia and Herzegovina (FBH) and Republika Srpska (RS) — two entities with their own legislation — and the Brčko District (BD), a special administrative unit. Applicable legislation may be on the state level or between these entities, therefore the regulation relevant to the fintech industry may differ across the state. The BiH fintech ecosystem is influenced by the strong presence of the financial industry, with the traditional banking sector standing as the backbone of BiH economy.

Despite challenges, the BiH fintech industry has been developing at a fast pace. BiH IT industry companies (also operating in fintech) operate globally rather than locally, supporting commercial banks and financial institutions amongst others. BiH companies provide contemporary solutions for payment systems in central and south-east Europe and provide fintech-related outsourcing solutions to foreign start-ups and mature businesses.

One of the largest national developments is that of a new platform that has elements of Open Banking. This platform has been established by several key BiH players — one of the largest banks, a telecommunications operator and technology providers — and is fully operational. Use of the platform is not limited, and it is expected that other banks and financial institutions may join. This would pave the way for future fintech developments in the next 12 months and may be indicative of steps towards new implementations across the technological industry.

Most BiH fintech business models focus primarily on payment solutions (services and analytics) and digitalisation projects. A considerable number of businesses provide solutions to financial institutions and, as such, the banks are the largest drivers and innovators of the BiH fintech industry. Mobile banking has become the norm, with most BiH banks now offering clients the possibility of payments and money transfers via messaging applications. Each bank implements such (or similar) solutions to maintain or increase its position on the market. As an example, a BiH bank organised the Elevator Lab Challenge in 2017, of which the fourth round is taking place in 2021. This challenge is an opportunity for companies to win a prize and be included in a four-month accelerator program in Vienna. The invitation is open to all start-ups who digitise areas of business and finance, primarily those involved in improving customer experience, predictions and analytics of different aspects of the business, but also to those improving the digitalisation of the financial sector.

New players include new fintech start-ups and already established IT industry companies which have partly stepped into the fintech industry. Projections for these new players are good, and it is expected that not only will many BiH companies accept the dynamic nature of the fintech industry, but more importantly that banks and financial institutions will further seek fintech solutions.

The regulatory regime in BiH is, to a certain degree, flexible and technologically neutral with regard to fintech industry developments. It is worth noting that BiH has a decentralised government system (please see 1.1. Evolution of the Fintech market). Thus, when a case arises within a state entity or the administrative unit, the regulation (or the interpretation of it) may differ from the rest of the state. As such, any future regulatory developments may be implemented separately between these entities (please see 2.6 Jurisdiction of Regulators).

There are neither provisions governing compensation models nor rules regulating fees that may be charged by fintech companies to their customers. However, compensation models need to be in-line with the principles of the consumer protection laws (eg, fair advertising) as well as with the provisions from banking laws regulating the use of financial services and with the provisions of the personal data protection legislation.

There is currently no double-tier fintech regulation which distinguishes between legacy players and new players.

There is no regulatory sandbox in BiH.

The Central Bank of Bosnia and Herzegovina (CBBiH) supervises the country's monetary policy, but there are two separate banking regulatory authorities – the Banking Agency of FBH and the Banking Agency of RS, both competent for general supervision of banking markets in BiH inter alia. As such, if an industry participant operates in both FBiH and RS it may have to comply with two separate regulatory regimes which may differ. Both banking agencies perform activities such as:

  • issuing permits for the operation of banks, microcredit organisations and leasing companies;
  • approving organisational changes in banks, microcredit organisations and leasing companies;
  • issuing consent for the appointment of the bank’s management staff;
  • issuing permits for internal payment transactions; and
  • collecting, processing and recording the data provided in accordance with regulations.

Notwithstanding the above, the fintech industry is (and may be) subject to other authorities’ regulation and supervision,  and the undertakings may be subject to approval of the Competition Council of BiH (which has been the case for the noted Open Banking co-operation – please see 1.1 Evolution of the Fintech Market). In general, the Data Protection Agency of BiH has the competence to provide advice and opinions regarding the protection of personal data, to perform other duties prescribed by law and to monitor the presentation of data from BiH. Additionally, the consumer protection ombudsman offers state-level protection to consumers and one of its main goals is to propose and initiate the resolution of consumer disputes using alternative dispute resolution mechanisms.

The banking sector is the only area with specific regulations on outsourcing. Outsourcing activities are regulated by the banking regulatory authorities in FBiH and RS. The banking sector may outsource activities provided such outsourcing complies with minimum standards and reporting obligations as stipulated in the applicable regulations. The banking sector may outsource activities to any legal person which is authorised to perform activities that are subject to externalisation. On the other hand, the legal person (service provider) has several obligations, including the following:

  • obligation not to disclose or publish the visit of third parties;
  • obligation to keep banking and business secrets;
  • obligation to inform the principal in a timely manner about all facts and changes in circumstances that significantly affect or that could significantly affect the fulfilment of contractual obligations; and
  • obligation to act in full compliance with the pertinent BiH regulations.

Additionally, the service provider should allow the principal to supervise the location where the services are provided and to allow access to the premises and documentation. However, a banking sector participant is not allowed to outsource the following:

  • activities for which it obtained a license and authorisation from the competent regulator;
  • all responsibilities under licenses cannot be transferred to the service providers;
  • the rights of the supervisory board and management; and
  • the control it has within the board (ie, management functions, monitoring, compliance and other functions).

There are no laws or regulations referring specifically to financial platforms. Therefore, any implications must be assessed under the general principles of provision of (financial) services in BiH and Anti Money Laundering Law of BiH, which imposes an obligation for industry participants to take measures to detect and prevent money laundering and terrorist financing.

There are no known publicly available enforcement actions that have been taken by the regulators.

Many non–financial regulations indirectly influence (or may influence) the fintech industry. Industry participants must comply with the provisions of the following regulations.

  • Consumer protection laws (Consumer Protection Law of BiH and Consumer Protection Law of RS) regulate the rights of consumers (natural persons) on the market, and are applicable to the fintech business models in relation to the consumers.
  • In the case of use and/or collection of personal data, the Data Protection Law of BiH will apply. To access personal data, a consent is obligatory and the data controller is obliged to act responsibly in order to process the personal data only to the extent necessary to fulfil a particular purpose, provided all such personal data is authentic and accurate. The data controller should also ensure that personal data is collected for different purposes are not aggregated or combine. There are several exceptions, one of which includes if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except if such processing of data contradicts with the data subject’s rights on protection of private and personal life.
  • The Law on the Prohibition of Money Laundering and the Financing of Terrorist Activities prescribes the measures to detect and prevent money laundering and terrorist financing.
  • Additionally, the Law on Copyright and Related Rights is also relevant for the purposes of software protection and regulations regarding the IP rights ownership and transfer.

In case of violations, the provisions of Criminal Law(s) will apply. Depending on the territory where the violation occurred and the substance of the violation, either the Criminal Law of BiH, or the Criminal Law of one of the entities (FBiH or RS) or the Criminal Law of BD will apply.

There may be obligatory reviews depending on the type of company, industry, size and transaction amongst other conditions. For example, it is obligatory for banks and all joint-stock companies to establish the audit committee as one of its corporate bodies. Once a company fulfils all the conditions stipulated by the laws on accounting and audit, it must undergo a yearly audit review. Furthermore, the Anti-Money Laundering Law of BiH stipulates mandatory identification and review of every person performing a transaction in the amount of BAM30,000 (cca EUR15,338.75) or more, regardless of whether the transaction was performed in one operation or in several evidently related transactions.

There is no specific regulation on the issue of industry participants offering unregulated products and services in conjunction with regulated products and services. Notwithstanding the above, financial service providers are required to take appropriate measures to avoid conflicts of interest. Also, in practice, depending on the kind of product in question, it may be necessary or recommended to register a special purpose vehicle (SPV).

There are no laws and regulations on robo-advisers or requirements for different business models using robo-advisers. In general, as BiH laws and regulations are technologically neutral and relatively flexible, robo-advisers are not explicitly forbidden but general principles may apply to these business models. Therefore, use of robo-advisers may be limited in certain regulated areas for which engaging in activities requires a pre-approval or the fulfilling of other conditions. For example, the securities market laws (both in FBiH and RS) explicitly stipulate that business activity of investment advising may only be conducted by individuals (natural persons) who have fulfilled certain conditions and who have acquired pre-approval from the competent authorities. Following this, robo-advisers are not permitted to conduct investment advice activities in BiH, but a person conducting investment advice activities may use a specific robo-adviser for support in conducting its advising activities.

There is no relevant available information on the implementation of robo-advisors by the legacy players. However, according to publicly available information, banking industry participants in BiH do use different algorithms for granting loans and shortening approval times.

Investment advising providers must execute best practices in conducting their investment services, which includes both minimisation and diversification of risks for the client, and maximisation of profit. Robo-advisers on their own cannot provide investment advising (please see 3.1 Requirement for Different Business Models), however they may be used as a supporting tool.

There are no specific regulations on crowd-lending platforms as online lenders in BiH. However, according to the applicable laws and regulations, only specific business entities such as banks and microcredit organisations (microcredit companies or microcredit foundations) may engage in the loan businesses. Banks must be registered as joint-stock companies and primarily engage in acceptance of deposits and granting loans, while microcredit organisations primarily engage in granting lower value loans with limits depending on the type of incorporation of the microcredit organisation.

Furthermore, certain business models which have elements of online lending have emerged in line with the regulatory framework. For example, some microcredit organisations now operate via online platforms which allow individuals to provide required information and apply online for small value loans.

Regarding the provision of loans to different business entities, the regulatory framework differs between individuals (natural persons) and legal persons. Individuals are, in principle, considered consumers and therefore provisions of consumer protection laws apply to their contractual relations with the loan institutions. These provisions inter alia set forth higher transparency requirements as opposed to other loans when dealing with businesses.

Finally, although crowd–lending platforms are not operational in BiH, there are other crowd funding platforms which are operational, such as crowd-funding charitable campaigns. And, in practice, investment crowd-funding projects were also organised via international crowd-funding platforms that offer services to BiH residents.

For the regulated industry participants, the underwriting process is dictated partially by regulation and partially by different policies the stakeholders need to adopt, such as:

  • the client acceptance policy;
  • the client identification policy;
  • the accounts and transactions monitoring policy; and
  • the policy governing risk management for collecting money and financing terrorist activities.

The risk management policy encompasses the obligation to define the commitment of corporate bodies (in particular the board of directors and the management) — in order to strengthen the corporate governance. This policy is primarily focused on the harmonisation of the BiH legislation with international standards, and other national laws and regulations in order to prevent money laundering and terrorist financing.

The most important source of funds for loans are deposits taken from the public. As per the CBBiH’s report from 30 October 2020, deposits from the public account for 54.9% of the overall deposits held in the commercial banks and amount to BAM13.35 billion, out of which 41.1% or BAM5.49 billion make for fixed deposits and savings. Despite deposits being the most important source of funds, 68% of BiH citizens have a bank account, while 49% of BiH citizens have a debit card.

In practice, the syndication of loans takes place in BiH and has been mostly reserved for large infrastructure, financing or other large projects. BiH laws do not provide regulations on syndication of loans as do common law jurisdictions. As contractual relations in BiH are based on the principle of contractual freedom, the syndication of loans is based on the mutual agreement of parties. But, this mutual agreement is part of complex agreements involving foreign and/or domestic jurisdictions. For this reason, the syndication process and its structure are determined on a case-by-case basis.

Payment processor must use existing payment rails as, according to applicable regulations, all payment transactions (payment services in internal market) take place through banks or other authorised organisations such as state post offices. Therefore, payment processors must be either bank-operated or bank-sponsored.

With reference to 5.1 Payment Processors’ Use of Payment Rails, and additionally according to laws on foreign exchange operations, all payment transactions are done through banks or other authorised organisations (bank mechanisms).

Foreign e-money organisations (platforms) are integrated (do business) with local banks which facilitate the receipt of the money from abroad.

The regulation of funds does not differentiate between fintech companies and other companies. Traditional fund administrators are regulated in BiH. The fund administrator is a legal entity (called Investment Fund Management Company) established in the organisational form of a limited liability company or joint stock company. Such company must be exclusively established for the sole purpose of management of investment funds and may only conduct limited activities in accordance with the laws on investment funds.

The fund administrators need to be licensed by the competent securities commission, either the Securities Commission of FB or the Securities Commission of RS.

There are no regulations on contractual terms between fund administrators and fund advisers. This implies that the contractual terms imposed would be regulated in accordance with the laws regularly used in equivalent agreements and in line with the laws on contracts and torts, and will of the parties.

The functioning of the stock market is strictly supervised by the securities commissions. Securities markets in BiH are regulated at the entity level (FBiH and RS), and both securities markets have their own regulatory framework and institutions. Securities trading in BiH takes place through stock exchanges, organised trading facilities (OTC) or other regulated markets. There are two stock exchanges located in Sarajevo and Banja Luka. These adhere to the similar regulatory principles and standards.

In principle, asset classes are subject to the same regulatory regime. There is currently no specific regulation that applies to crypto-assets in BiH.

As for the moment, cryptocurrency exchanges remain unregulated in BiH. However, the beginning of 2021 saw the first platform in BiH for buying, selling, changing, trading, storing and managing of digital assets placed on the market. It is a full-stack platform offering clients digital wallets and enabling the trading of cryptocurrencies, tokens and smart contract. Given that BiH had never before seen such a solution as that of a legal entity integrating new technologies with the local market, this platform has emerged as a pioneering endeavour in the field of digital property market and blockchain technology, all implemented by BiH founders.

Authorised stock exchanges are required to implement appropriate self-regulation, which is binding on the respective participants. They must implement straightforward rules on the parameters used to decide which financial instruments can be exchanged within their framework. Also, other stakeholders such as brokerage companies are required to organise their internal organisations in such a way as to ensure the up-to-date, quality, legal and reliable performance of securities transactions.

No order handling rules currently apply in relation to digital assets. However, general rules governing investor protection as well as principles of transparent and fair trade do. Brokerage firms that are authorised to execute orders on behalf of clients must enforce processes and agreements to ensure that client orders are executed promptly, fairly and efficiently.

Please see 4.3. Sources of Funds for Loans and 7.1. Permissible Trading Platforms. Regarding peer-to-peer trading platforms, there are currently no applicable rules in BiH.

Please see 7.5 Order Handling Rules.

There are no specific rules on payment for order flow. However, brokerage firms are required to provide all information — including risk information and that of any conflict of interest of the firm and the investor, or other clients — to their clients to make an informed investment decision. They must primarily balance the client's needs by prioritising them over their own.

Please see 7.1 Permissible Trading Platforms, 7.4 Listing Standards, 7.5 Order Handling Rules and 7.8 Rules of Payment for Order Flow.

There are currently no specific regulations on high-frequency and algorithmic trading nor are there known upcoming implementation plans.

As there are no specific regulations, players functioning in principal capacity do not have to register as market makers.

Please see 8.1 Creation and Usage Regulations.

There are currently no specific regulations on programmers who develop and create trading algorithms and other electronic trading tools.

There are currently no specific regulations on financial research platforms. However, if a platform is registered in BiH and used by individuals (natural person participants), actions on said platform must comply with the general principles set out in BiH consumer protections laws.

Please see 9.1 Registration. Furthermore, if any authorised person or any individual undertakes any illegal action which represents a criminal offence, there is a potential criminal liability. Provisions of the criminal acts in BiH stipulate criminal offences in a broad manner, and the spreading of unverified information may have elements for the courts to decide on potential criminal liability. For example, the criminal offence of fraud is stipulated as acquiring unlawful property with intent to gain for the acquirer or another person, by false representation or concealment of facts, deceiving another or keeping such a person in deception, inducing them to do or not to do something to the detriment of his own or someone else’s property.

Please see 9.1 Registration and 9.2 Regulation of Unverified Information.

There are no specific rules or processes concerning the underwriting of insurance in the insurtech industry, but insurtechs must comply and adapt to general insurance principles stipulated by the laws, as well as with internal acts of insurance industry participants.

There are no specific classifications of insurance concerning the insurtech industry. However, the insurance industry is highly regulated in BiH and the applicable insurance laws and regulations set both common rules applicable to insurance in general and specific rules for individual insurance types. In general, insurance is categorised into two groups: non-life insurance and life insurance. Each of these has subtypes. For example, in the case of non-life insurance, the subtypes would be:accident insurance, health insurance, transport insurance and credit/loan insurance. 

There are currently no specific regulations on the regtech industry nor are there known upcoming implementation plans. However, banking regulatory authorities impose minimal standards and reporting obligations on local banks that contractually outsource certain activities to service providers, of which regtech providers are not excluded (please see 2.7 Outsourcing of Regulated Functions).

As there are no specific regulations on the regtech industry, contractual terms between financial services firms and technology providers are dictated by industry custom and on the basis of the principle of party autonomy. The most important clause for performance and accuracy is the liability clause (between the parties). The most common clauses that parties will negotiate include: data protection; AML; confidentiality; reporting; warranties; and securities.

According to publicly available information, traditional players have not yet implemented blockchain in the financial services industry.

There are currently no specific regulations on blockchain and the regulatory authorities have, in general, remained silent on the subject of blockchain and its implementation. However, the CBBiH has issued a general statement on cryptocurrencies, in which it warned the citizens that cryptocurrencies have not been regulated in BiH and that there is no legal protection. But, the CBBiH also noted that “the citizens have a right to dispose with their money in any means possible, in accordance with their own decisions, however, investing into cryptocurrencies is prone to more risks than when investing in other instruments”.  The statement implies that cryptocurrency (blockchain assets) trading in BiH is not forbidden, but it is also not regulated.

The regulatory authorities have not yet classified blockchain assets as there are currently no specific regulations on blockchain.

There are currently no specific regulations on blockchain and the regulatory authorities have, in general, remained silent on the subject of blockchain and its implementation.

There are no regulations on blockchain asset trading platforms (please see 12.2 Local Regulators' Approach to Blockchain). The first local blockchain asset trading platform has been recently established by a BiH company, and the regulatory authorities (according to publicly available information) have not yet undertaken any actions.

There are currently no specific regulations on blockchain and the regulatory authorities have, in general, remained silent on the subject of blockchain and its implementation.

There are currently no specific regulations on blockchain and the regulatory authorities have, in general, remained silent on the subject of blockchain and its implementation.

There are currently no specific regulations on decentralised finance (DeFi).

Regulatory implications must be assessed under the general principles of provision of financial services, particularly in relation to the maintaining of protection standards by supervision of financial regulators. Payment Services Directive (PSD2) is not applicable in BiH nor has it been implemented in BiH laws or regulations.

In general, compliance with data protection laws and regulations in BiH will be highly dependent on obtaining the relevant consents and waivers from data subjects. The further development in this area is expected when additional participants (banks and other parties) join the open banking platform (please see 1.1 Evolution of the Fintech Market). – Law Office Mirna Milanović-Lalić

Maršala Tita 50
71000 Sarajevo
Bosnia and Herzegovina


Author Business Card

Law and Practice


BH Legal – Law Office Mirna Milanović-Lalić is a full-service commercial law practice with market-leading expertise in advising and representing both multinational and local companies, in all aspects of commercial law. Lawyers are experienced in the following practices: M&A, banking and finance, projects and infrastructure, corporate, commercial, employment, tax, real estate and non-profits. The firm’s team specialises in commercial and civil litigation and has assisted several financial institutions since its incorporation in matters involving financing, insurance and regulatory issues. The firm’s clients include several IT market leaders, for which they provide guidance and representation in complex deals involving financing, privacy, and regulatory.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.