SERBIA Law and Practice Contributed by: Željka Motika, Ivana Bulatović and Jovana Spasojević Gligorijević, Motika i partneri
2.10 Significant Enforcement Actions National supervisory authorities are responsible for ensuring regulatory compliance within the fintech sec - tor. Their oversight helps safeguard market integrity, maintain financial stability, and protect users of finan - cial services. Regulators have a range of enforcement measures at their disposal, including orders to remedy breach - es, recommendations, warnings, and administrative fines. In cases of serious or repeated violations, the most severe sanction available is the revocation of a licence. Regulators may also initiate misdemeanour proceedings when appropriate. In certain circumstances, regulatory bodies are required to publicly disclose information about sanc - tioned entities and the penalties imposed on them. Additionally, significant fines may be levied against entities that provide regulated services without first obtaining the required licence from the competent authority. 2.11 Implications of Additional, Non- Financial Services Regulations Privacy All entities that process personal data – whether fin - tech companies or traditional financial institutions – must comply with the Personal Data Protection Act. This applies regardless of whether the entity acts as a data controller or a data processor. Cybersecurity Cybersecurity obligations are primarily regulated by the Information Security Act. Fintech companies may be classified as operators of ICT systems of special importance, particularly when they operate in regulat - ed markets, provide digital asset services, or manage ICT systems for financial institutions. Such operators must comply with extensive requirements concerning security measures, incident management, audits, and outsourcing. Importantly, they remain fully responsible for the overall security of their systems. For financial institutions, especially banks, oversight is carried out by the National Bank of Serbia.
are prohibited from outsourcing the regulated activi - ties for which they are licensed. Digital asset service providers may not outsource regulated functions. They may outsource only lim - ited operational tasks, subject to prior notification to the competent authority and provided that such arrangements do not undermine internal controls or the financial stability of the provider. The vendor must also enable direct supervision and ensure access to documentation by the competent authority. UCITS management companies and AIFMs may del - egate portfolio management and risk management, subject to the prior approval of the Securities Com - mission and only to entities holding the relevant regu - latory authorisation. 2.9 Gatekeeper Liability In Serbia, fintech service providers may be considered “gatekeepers” to a certain extent; however, the extent of their responsibility depends on the legal classifica - tion of the services they provide. Providers of regulated financial services – such as payment institutions, electronic money issuers, invest - ment firms, and digital asset service providers – are subject to anti‑money laundering and counter‑terrorist financing obligations. These include KYC procedures, transaction monitoring, application of a risk‑based approach, and reporting of suspicious activities. They must also ensure system security, implement fraud‑prevention measures, and address unauthor - ised transactions. Investment and crypto platforms have additional duties, including the implementation of market‑sur - veillance mechanisms designed to prevent market manipulation and other forms of market abuse. By contrast, fintech companies that provide purely technical or support services, without holding client funds or offering regulated financial services, are not considered financial “gatekeepers”. Their responsibil - ity is primarily governed by general contractual princi - ples and data‑protection regulations.
705 CHAMBERS.COM
Powered by FlippingBook