Regulation on Electronic Payment Instruments

1 of 18 Pursuant to Article 35, paragraph 1, subparagraph 1.1, Article 22, paragraph 2, subparagraph 2.3, of Law No. 03/L-209 on the Central Bank of the Republic of Kosovo, and in accordance with Article 1, paragraph 1, and Article 8, paragraph 1 and paragraph 2, subparagraph 2.3, of Law No. 04/L-155 on Payment System, and with Article 44, Article 85, Article 94 and Article 114 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions, the Board of the Central Bank, in its meeting held on 27 January 2022, approved the following: REGULATION ON ELECTRONIC PAYMENT INSTRUMENTS CHAPTER I General provisions Article 1 Purpose and scope

1. The purpose of this Regulation shall be to determine the conditions, requirements and procedures for the issuance and use of electronic payment instruments, as well as to determine the manner of reporting information when using these electronic payment instruments.
2. The subject of implementation of this regulation shall be financial institutions authorized by the Central Bank of the Republic of Kosovo (CBK) to provide payment services and electronic payment instruments.
3. Provisions of this regulation shall not apply in the following cases: 3.1. Paper-based payment instruments; 3.2. Electronic payment orders initiated by banks for making mutual payments in the Payment System. 3.3. Services based on specific payment instruments that can only be used in a limited way, that meet one of the following conditions: 3.3.1. instruments that allow the holder to purchase goods or services only on the issuer 's premises or within a limited network of service providers, under a direct commercial agreement with a professional issuer; 3.3.2. instruments that can only be used to purchase a very limited range of goods or services; 3.3.3. instruments provided at the request of an enterprise or a public sector entity and regulated by a national public authority for specific social or tax purposes, to purchase

2 of 18 specific goods or services from suppliers having a commercial agreement with the issuer. Article 2 Definitions

1. All terms in this regulation shall have the same meaning as the terms defined in Law No. 04/L￾155 on Payment System and/or the definitions below for the purpose of this Regulation: 1.1. Electronic money - shall mean electronically, including magnetically registered, monetary value which is issued upon receipt of funds for the purpose of making payment transactions and which represents a claim of the issuer to its recipient, who shall be a natural or legal person, other than the issuer of electronic money; 1.2. Electronic payment – shall mean the payment transaction, carried out through a card containing a magnetic strip, a chip or an identifying code and that is used in an electronic payments’ terminal, in a POS terminal, etc.; or via a banking application by using electronic means of communication; 1.3. Electronic Payment Instrument (EPI) – shall mean the instrument that enables the holder to perform electronic payments. This includes remote access payment instruments as well as electronic money instruments; 1.4. Remote access payment instrument – shall mean an instrument, which gives the holder the possibility to access funds on his bank account, usually through the personal identification number and/or other identification documents. Here are included payment cards and other electronic services; 1.5. Electronic money instrument – shall mean a payment instrument, other than the remote access payment instrument, which stores the monetary value electronically and enables the holder to make electronic payments. This instrument can be refilled with monetary value whenever necessary; 1.6. Paper-based payment instruments – shall mean the paper-based payment order submitted to the payment service provider. These instruments mainly include paper-based credit and debit transfers; 1.7. Card-based payment instrument - shall mean any payment instrument, including a card, mobile phone, computer or other technological device containing the appropriate payment application which enables the payer to initiate a card-based payment transaction and which is not credit transfer or direct debit; 1.8. Payment Card (Card) - shall mean a category of payment instrument that enables the payer to initiate a transaction based on debit or credit card; 1.9. Commercial card - shall mean any card-based payment instrument issued to business organizations or public sector entities which is limited in use for business expenses where the payments made with such cards are charged directly to the account of the business organization or public sector entity.

3 of 18 1.10. Debit card – shall mean a category of payment instrument that enables the payer to initiate a debit card transaction excluding those with prepaid cards; 1.11. Credit card - shall mean a category of payment instrument that enables the payer to initiate a credit card transaction; 1.12. Prepaid card - shall mean a category of payment instrument in which electronic money is stored. 1.13. Debit card transaction - shall mean a card-based payment transaction, including those with prepaid cards that is not credit card transaction; 1.14. Credit card transaction - shall mean a card-based payment transaction where the amount of the transaction is debited in full or in part at a pre agreed specific calendar month date to the payer, in line with a prearranged credit facility, with or without interest; 1.15. Card-based payment transaction - shall mean a service based on on a payment card scheme's infrastructure and business rules to make a payment transaction by means of any card, telecommunication, digital or IT device or software if this results in a debit or a credit card transaction. Card-based payment transactions exclude transactions based on other kinds of payment services; 1.16. Card scheme - shall mean a single set of implementation guidelines, rules, practices, and/or standards for the execution of card-based transactions and which is separated from any infrastructure or payment system that supports its operation, and includes any specific decision-making body, company or entity responsible for the operation of the scheme; 1.17. Four party card scheme - shall mean a card scheme in which card-based payment transactions are made from a payer's payment account to a payee's payment account through the scheme, an issuer (on the payer’s side) and an recipient (on the payee’s side); 1.18. Three party card scheme - shall mean a card scheme, in which the scheme itself provides acquiring and issuing services and card-based payment transactions are made from the payment account of a payer to the payment account of a payee within the scheme. When a three party payment card scheme licenses other payment service providers for the issuance of card-based payment instruments or the acquiring of card-based payment transactions, or both, or issues card-based payment instruments with a co-branding partner or through an agent, it is considered to be a four party payment card scheme; 1.19. Payment account – is an account opened with a bank or NBFI registered for conducting payment activities and/or electronic money, on behalf of one or more payment service users, which is used to perform payment transactions. 1.20. IPS - Interbank Payment System at CBK; 1.21. Electronic bank services – shall mean the banking services provided online, such as: mobile banking, e-banking, etc., which are carried out via electronic means of communication. These services may be accessed by clients of entities envisaged in this Regulation, through the use of various means of telecommunications, such as telephone, cellular phone, terminals or personal computers, etc.;

4 of 18 1.22. Mobile Banking - shall mean a service that allows the holder to use the mobile or cell phone to carry out various banking transactions, including the ability to make payment orders from a payment account; 1.23. E-banking – shall mean a service that allows the holder to carry out various banking transactions, including payment orders, using the internet; 1.24. Immediate payment - shall mean an electronic payment with small monetary value available 24/7/365 which results in immediate interbank clearing, which implies crediting of the payer's account and confirmation for the payer, within seconds after the initiation of the payment. Immediate payment is made regardless of the basic payment instrument used and the clearing and settlement agreement; 1.25. PIN (Personal Identification Number) - shall mean the numeric code, used to verify the holder’s identity. 1.26. Issuer – shall mean the bank or the institution licensed or authorized by the CBK, which, according to the contract, issues the holder for use, the electronic payment instrument; 1.27. Recipient – shall mean the bank or the institution licensed by the CBK which based on a contract with the merchant, accepts electronic payments initiated by the holders via electronic payment instrument and carried out at the merchant via POS/EFTPOS or virtual POS. The recipient can be simultaneously an issuer and vice-versa; 1.28. Holder - shall mean the natural or legal person, who holds the EPI, based on the respective contract with the issuer; 1.29. Merchant - implies the natural or legal person, that based on the contract signed with the recipient, accepts the electronic payments via EPI, carried out using POS/EFTPOS/virtual POS devices; 1.30. ATM (Automated Teller Machine) - shall mean the electromechanical device that permits to withdraw or to deposit cash, to carry out payments of services, to transfer funds among the accounts, to create account statements, etc.; 1.31. Terminal POS/EFTPOS – shall mean the device that permits the use of the banking cards at a point of sale; 1.32. Terminal virtual POS (virtual POS) - shall mean the device or similar application in services to the POS terminal, which permits the performance of transactions via internet or phone lines, using banking cards operating in real-time; 1.33. Online operation - shall mean the method in which transactions are carried via EPI through electronic means of communication between the system where this transaction takes place and the authorization system of the card issuer or its service operator, are immediately approved by the latter, by freezing the funds in the account of the EPI holder; 1.34. Offline operation – shall mean the method in which the processing and approval of a EPI transaction, in a terminal, is performed without contacting the issuer; 1.35. Agent/clearing house – shall mean an entity that calculates the net positions of the system participants, a potential central party and/or a possible settlement agent.

5 of 18 1.36. International card companies - shall mean international financial services companies that enable electronic fund transfers worldwide and facilitate the processing of payments between banks and merchants; 1.37. Consumer - shall mean any natural person who buys and uses goods or services to meet his needs, for purposes not related to commercial activity; 1.38. Interchange fee - shall mean a fee paid for each transaction directly or indirectly (i.e. through a third party) between the issuer and the recipient involved in a card-based payment transaction. The net compensation or other agreed remuneration is considered to be part of the interchange fee; 1.39. Merchant Service Charge – shall mean a fee paid by the payee to the recipient in relation to card-based payment transactions; 1.40. Net Compensation - shall mean the total net amount of payments, discounts, or incentives received by an issuer from the payment card scheme, the recipient, or any other intermediary in relation to card-based payment transactions or related activities; 1.41. Payee - shall mean a natural or legal person who is the intended recipient of funds that have been the subject of a payment transaction; 1.42. Payer - shall mean a natural or legal person who holds a payment account and allows a payment order from that account or when there is no payment account, a natural or legal person who issues a payment order; 1.43. Payment application - shall mean computer software or equivalent installed on a device enabling card-based payment transactions to be initiated and allowing the payer to issue payment orders; 1.44. Payment service providers – shall mean a bank, MFI, NBFI, licensed/registered by the CBK to carry out the activity of payment service and/or issuance of electronic money; 1.45. Payment service user - shall mean a natural or legal person making use of a payment service in the capacity of either payer or payee, or both. Article 3 Types of Electronic Payment Instruments

1. Electronic payment instruments, through which it is possible to access funds in the payment account or in the money registered electronically to carry out operations such as: cash depositing/withdrawal, payments and/or transfers of funds, reloading with monetary value, etc. are classified as follows: 1.1. Remote access payment instruments, providing to the holder the possibility to access funds in his payment account, by using electronic and/or technical means, such as: 1.1.1. payment cards; 1.1.2. immediate payments. 1.2. Other electronic services, such as: mobile banking, e-banking, etc.; and 1.3. Electronic money instruments.

6 of 18 2. The definition of EPI types under paragraph 1 of this Article has no limiting/exhaustive character and depends on further technology developments. CHAPTER II Transparency and consumer protection standards Article 4 Establishing relationships for the issuance and use of Electronic Payment Instruments

1. Relationship for the issuance, holding and use of EPIs shall be established through a written contract between the issuer and the holder.
2. The contract under paragraph 1 of this Article shall contain at least the following conditions: 2.1. The contract for holding and using the EPI shall be drafted in Albanian language and may be drafted in other languages, in compliance with the applicable laws in Kosovo; 2.2. The issuer shall, prior to the signing of the contract, communicate to the holder of the EPI the contractual terms, by carefully clarifying mutual rights and obligations; 2.3. The contract for holding and using EPI shall contain at least the following information: 2.3.1. parties to the contract; 2.3.2. the type of the EPI issued, type of equipment/device where the holder can use this instrument to carry out transactions; 2.3.3. types of payment transactions that can be carried out via EPI; 2.3.4. the duration/limit of usage or the validity period of EPI; 2.3.5. obstacles that may occur when carrying out transactions; 2.3.6. the applicable security procedures and parties’ liabilities under the contract; 2.3.7. the normal period within which the holder shall settle all liabilities arising from transactions executed through EPI; 2.3.8. types and value of charges and commission fees relevant to the use of EPI and the conditions for their change; 2.3.9. rules on carrying out transactions in foreign currency and the conditions for their change; 2.3.10. rules on the calculation of interest rate and effective interest rate, if applicable on the EPI issued; 2.3.11. the right and procedure for filing a complaint related to EPI, and procedures for addressing it; 2.3.12. the terms and conditions for contract renewal; 2.3.13. the method, period of notice, conditions for terminating the contract; and

7 of 18 2.3.14. procedures and consequences in cases of loss, destruction, misuse, theft, falsification or copying of EPI. 2.4. The following documents shall be attached to the contract: 2.4.1. the list of allowed limits for transactions, charges, fees, and interest rates, when applicable, as well as the reference to the quotation date of applicable exchange rate for use of EPI-s, domestically and abroad; 2.4.2. a description of how EPI is used and the devices where it is used. 3. The issuer shall issue EPI to the holder only after being assured that the client was informed and cleared on terms, mutual rights and obligations stipulated in the contract, and after the signature of the contract compiled in accordance with this Article. 4. The issuer shall notify the holder in writing on the proposed amendments to the provisions of the contract. Article 5 Issue and use of Electronic Payment Instruments

1. The subjects of this regulation shall have the right to issue EPI-s and provide electronic payments service via EPI-s, only after being granted a license by the CBK.
2. The subjects of this regulation applying to issue a new type of EPI shall, at least one (1) month prior to providing the electronic payment services through the new EPI, notify in writing the Department of Licensing and Standardization at CBK with regard to the EPI, the method of services provision and the possibilities of the use of EPI, as well as the market assessment for this service.
3. The CBK may at any time prohibit the issuance or use of a new type of IPE if, in its assessment, the requirements of this regulation and other relevant legal acts in force have not been met. Article 6 Obligations of the issuer of Electronic Payment Instrument
4. The issuer of EPI shall meet the following requirements: 1.1. Allow the holder to carry out EPI transactions; 1.2. Submit to the holder or authorized person in accordance with applicable laws, the PIN in a sealed envelope, or through other forms, which enable alternatives for issuing the PIN in electronic form. The PIN can be assigned by the issuer or by the EPI holder; 1.3. Provide confidential data on EPI transactions only to the holder, in accordance with legal acts on data protection and confidentiality; 1.4. Accurately record and enter into the payment account of holder each transaction carried out by the holder via EPI; 1.5. Ensure the avoidance/elimination of technical problems or other deficiencies, for the execution of EPI transactions;

8 of 18 1.6. Not issue payment instruments unless requested by the holder, except when he/she replaces an existing electronic payment instrument used by the holder; 1.7. Save the records for a period of time defined by applicable laws so as to enable the identification of performed transactions and correction of errors in the cases defined in the contract; 1.8. Inform the holder in writing and/or electronically regarding the publication of the change occurring in the interest rates when they are applicable; 1.9. Provide to the holder any information relevant to his transactions, upon the request by the latter; 1.10. Provide the holder with the possibility of notification in cases of loss, theft, misuse and/or destruction of EPI-s, 24/7 via the available means of communication; 1.11. Identify the person performing the notification referred to in subparagraph “1.10” of this paragraph, in order to ensure that he/she is the EPI’s holder; 1.12. Record in full the receipt of notification for cases provided under subparagraph “1.10” of this paragraph, including the receipt of data related to the identification number of EPI, the person making the notification, the correct date and time of receiving information and the other additional circumstances; 1.13. Following the receipt of notification under subparagraph “1.10” and identification of the person under subparagraph “1.11” of this paragraph, the issuer shall immediately take necessary measures to stop further use of the EPI, even when the holder may have acted in complete negligence or fraud; and; 2. The issuer of EPI, during the process of issuing and monitoring the use of EPI, shall implement the requirements of applicable legislation on prevention of money laundering and financing of terrorism. Article 7 Publication of information

1. The issuer shall publish in the premises where the activity takes place and through various media, free information on: 1.1. the applicable interest rates and effective interest rates; 1.2. The amount of applicable charges and provisions.
2. The issuer shall be obliged to provide information at the request of the holder regarding the transactions performed through EPI. This information should be in writing, wherever possible, transmitted also via electronic means, and should contain the following: 2.1. a reference allowing the holder to identify the transactions, including information on the merchant and/or place of transaction, as well as the type, date, time and the reference number of the executed transaction; 2.2. the transaction amount by which the holder’s account has been debited, including the amount denominated in the original currency;

9 of 18 2.3. the interest rates, the potential commission fees and/or charges for each transaction, if applicable; and 2.4. The new services that it can provide with regard to EPI. Article 8 Obligations of the holder of Electronic Payment Instrument

1. In addition to the requirements of Article 6 of this Regulation, the contract for the payment instrument shall also include the obligations of the holder according to which he/she shall: 1.1. Use the Electronic Payment Instrument in compliance with the terms and conditions set out in the contract; 1.2. Keep secret his/her PIN and/or his/her password and take all the necessary measures against access by a different person; 1.3. Immediately inform the issuer if one of the following events occur: 1.3.1. EPI is destroyed, misused, lost, stolen, falsified or copied; 1.3.2. notices an abuse, fraud related to his/her PIN/password, that could enable third persons to access his/her account; 1.3.3. a transaction is executed via EPI without the holder’s approval; 1.3.4. notices an error or mismatches in his/her account with the issuer. 1.4. Not write his/her PIN/password in an easily visible place that would enable a third person to read it; 1.5. Provide complete and accurate personal data for identification purposes; and 1.6. Immediately inform the issuer on any change of his/her personal data.
2. The notification for the cases provided in subparagraph 1.3, paragraph 1 of this Article, is made by different means of communication, in line with the definitions stipulated in the contract.
3. The holder shall be held financially liable for losses incurred due to the loss or theft of EPIs, until the time of making the notification. As soon as the holder has notified the issuer, he/she is not thereafter liable for the loss incurred, except when he/she acts fraudulently.
4. Except as provided in paragraphs 1, 2 and 3 of this Article, the holder is not liable if the EPI has been used without the physical presence and/or electronic identification of the instrument itself, except where he/she operates upon fraud/negligence circumstances. The use of a confidential code or any other similar proof of identity is not, by itself, sufficient to entail the holder’s liability. Article 9 Compensation/Indemnification of the Holder by the Issuer
5. Except as provided in paragraphs 3 and 4 of Article 8 of this Regulation, the issuer shall be liable to cover the financial damages occurred to the holder, in cases when:

10 of 18 1.1. The transaction was not executed or was executed incorrectly by the issuer, including cases where the transaction was performed at terminals authorized for use by the holder, but which are not under the direct control of the issuer; 1.2. The transactions were not authorised by the holder, as well as for any error or any other irregularity attributable to the issuer, in maintaining the holder’s account. 1.3. Transaction executed by the holder, at the time determined in or through the devices/applications of the issuer, has been delayed during the transfer which causes financial damages to the holder. 2. Compensation/indemnification of financial damages under paragraph 1 of this Article, shall include: 2.1. The amount of the unexecuted or erroneously executed transaction, if any, and relevant interest thereon; and 2.2. The amount required to restore the holder's remaining account to the previous state, before the unauthorised transaction took place. Article 10 Establishment of relationships for receipt of payments via electronic payment instrument

1. The relationship for the receipt of payments via EPI shall be established and defined through a written contract between the recipient and merchant.
2. The contract under paragraph 1 of this Article should contain at least the following conditions: 2.1. Contract on receipt of payments via EPI is drafted in Albanian and other languages in accordance with the applicable legislation; 2.2. Prior to signing the contract, the recipient shall present to the merchant all contract conditions, by clarifying the reciprocal rights and obligations. The contract should contain at least the following information: 2.2.1. Parties to the contract; 2.2.2. Type of EPI to be used for performing transactions with the merchant; 2.2.3. Applicable procedures, including security procedures and merchant’s obligations during the performance of transactions; 2.2.4. Period and manner of payment to the merchant by the recipient; 2.2.5. Cases of refusal to accept payment by EPI; 2.2.6. Cases of holding the EPI; 2.2.7. Procedures regarding the right to file complaints; 2.2.8. Terms and conditions related to contract renewal; 2.2.9. Manner, notification deadline and conditions for termination of the contract.
3. The contract shall not contain any prohibiting clause for the merchant to use only one recipient’s system.

11 of 18 4. The contract may contain compulsory clauses only with regard to technical aspects of payment processing by EPI. Article 11 Obligations of the recipient of payments via Electronic Payment Instruments

1. In order to receive payments via EPI, the recipient should fulfil the following conditions: 1.1. Open a payment account in the name of the business or the merchant; 1.2. Enable the acceptance and performance of transactions via EPI; 1.3. Record each transaction and save the records for a sufficient period of time, so as to enable the identification of performed transactions and correction of errors in the cases defined in the contract; 1.4. Apply safety procedures for ensuring the performance of EPI transactions; 1.5. Implement legal acts for maintaining data and bank secrecy; and 1.6. Notify the merchant in writing with regard to proposals for changing the contract provisions. Article 12 Standards on the protection of the electronic payment instrument holder
2. The recipient shall include in the contents of the contract pursuant to Article 10 of this Regulation, certain conditions to ensure the protection of EPI holder, whereby the merchant: 1.1. May request the holder to present an identification document, in case of doubts about his identity, prior to accepting a payment via the EPI; 1.2. Should reject a payment via the EPI, under Article 10, subparagraph 2.2.5, of this Regulation, in the following cases: 1.2.1. EPI invalidity; 1.2.2. Notice on EPI’s theft or loss; 1.2.3. Inconsistency between the authorized signature in the EPI and the signature of the transaction document or identity card; 1.2.4. Refusal by the holder to provide an identification document or if the merchant identifies that an unauthorised person is using EPI; 1.2.5. Inability to receive a confirmation on the performance of transaction; 1.2.6. Absence or incorrectness of at least one EPI safety element; 1.2.7. Suspicions of an EPI forgery/copying; 1.2.8. Absence of authorized signature in EPI, if this is essential for validity effect; 1.3. May hold EPI, in accordance with Article 10, subparagraph 2.2.6, of this Regulation, in the following cases: 1.3.1. Notice on EPI theft or loss;

12 of 18 1.3.2. Inconsistency of signature in EPI with the signature in purchase receipt; 1.3.3. Use of EPI by an unauthorised person; 1.3.4. Receiving an order from the recipient to keep the EPI; and 1.3.5. Concluding that at least one of the safety elements is not correct. 1.4. Should ensure the safety procedures according to Article 10, subparagraph 2.2.3, of this Regulation and shall not make public personal data and/or cardholder number, to unauthorised persons, as well as shall not allow wrong/incorrect use or forgery/copying of EPI; 1.5. Should accept payments performed via EPI, under the same conditions and terms as with cash payments and should not apply commission or additional charges towards the holder, above the price of payments performed through them. Article 13 Transparency standards of the issuer of other electronic services

1. Except as stipulated in the contract for issuing the EPI according to Article 4 of this Regulation, the issuer shall make available to the holder, in writing, information regarding: 1.1. Rules of electronic identification of holder; 1.2. The rules to be followed by the holder regarding the issuance of orders for the execution of transactions or use of other services specified in the contract; 1.3. Best and safest practices for performing transactions with payment instruments, which the holder should adhere to.
2. The issuer provides to the holder the possibility to access funds in his/her account and to perform transactions through the electronic payment applications in his electronic services, which he provides through the use of communication means such as telephone, internet, mobile, etc.
3. The holder, in line with the terms as established in the contract, orders the issuer to debit his/her account with the amounts of executed transactions and for the fees and commissions applied by the issuer, or undertakes to pay the amounts that are due to the payment service provider, within a specified period of time.
4. The issuer guaranties to the holder the needed security related to the transactions performed through the means of communication as established in the contract.
5. The issuer shall immediately inform the holder in the event of the rejection or non-execution of transaction ordered by the latter, if the rejection/or non-execution is due to reasons that do not depend on the issuer. Article 14 The irrevocability of payment order

13 of 18 The order given by the holder of the EPI for the authorisation of a transaction may be revoked only prior to the authorisation. After the authorisation of the transaction by the holder, the order is irrevocable, except if the contractual terms on the use of EPI provide differently. CHAPTER III Remote access payment instruments Article 15 Types of payment cards

1. Payment cards can be in the form of: 1.1. Cash Cards – that allow use only at ATMs or cash machines and that allow holders only to withdraw cash; 1.2. Debit cards – that allow the authorised holder to access his/her account at the issuer, to make purchases with the available funds in this account and/or withdraw cash, if the card is combined with a card with a cash function; 1.3. Deferred debit cards – similar to debit cards, except that the settlement of the payment in the account is done after a definite period of time as stipulated in the terms of the contract; 1.4. Credit cards – that allow the holder to use a line of credit. It enables the holder to make a purchase and/or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a definite period of time or can be settled in part, and deferred in time, in line with the terms established in the contract; 1.5. Card with electronic money function – means a card that enables electronic money transactions.
2. Payment cards may also have a combination of the above functions. Article 16 Additional card Upon the consent of the account holder and/or of the main card holder, the issuer may issue an additional card for the same account, for which the contract is signed also by a third person, holder of this additional card. Article 17 Transactions performed with payment cards
3. The transactions that can be carried out with payment cards are as follows: 1.1. Cash withdrawal and deposit from/to an account through an ATM terminal; 1.2. Payment of goods and services and cash withdrawal from a physical POS/EFTPOS terminal in cases where this service is provided by the issuer;

14 of 18 1.3. Payment of goods and services, as well as transfer of funds between accounts from a virtual POS/EFTPOS terminal; 1.4. Payment of services from ATM terminals; 1.5. Transfer of funds between accounts through an ATM terminal; 1.6. Transfer of the current account balance to a deposit account through an ATM terminal; 1.7. Online payments; and 1.8. Printing of account statement or issuance of an overview of last actions in the account, as well as performance of other non-payment transactions, such as: 1.8.1. Changing the PIN at an ATM etc.; 1.8.2. Setting the PIN at the POS. 2. The recipient makes possible that the transactions specified in paragraph 1 of this Article, be carried out in all POS/EFTPOS and ATM supplied and financed by them, which offer those functions, by using the payment cards issued within the territory of Kosovo or abroad, in compliance with the agreements with the international card associations. 3. Issuer and recipient operating in Kosovo, should not apply fees to the holder for transactions carried out with cards for payment of goods or services. 4. Notwithstanding paragraph 3 of this Article, an exception may be made only in cases of payments to public institutions when the institution does not undertake to cover the cost of payment service through the card. Article 18 Exchange fees for debit and credit card transactions by the customer

1. If the payment transaction is performed with a card-based payment instrument, the exchange fees calculated and charged between the payment service providers, which have their headquarters in Kosovo, may not be higher than: 1.1. 0.2% of transaction value for each debit card transaction; and 1.2. 0.3% of transaction value for each credit card transaction.
2. Paragraph 1 of this Article shall not be applicable in the following cases: 2.1. For commercial card transactions; 2.2. For withdrawing money at ATMs or at a customer service point of a payment service provider; and 2.3. For payment card transactions issued by three party card payment schemes. Article 19 Prohibition of deviations

15 of 18 For the purpose of applying the limitations set forth in Article 18 of this Regulation, any agreed payment, including net compensation, with an effect on the exchange fee, received by an issuer from a card scheme, recipient or any other intermediary in connection with payment transactions or related activities should be treated as part of the exchange fee. Article 20 The ‘Honour all cards’ rule

1. Card schemes and payment service providers should not apply any rule that obliges payees who receive a card-based payment instrument issued by an issuer, also to accept other card-based payment instruments issued within the framework of the same card scheme.
2. Paragraph 1 of this Article shall not apply to card-based payment instruments of the same brand and the same card category (prepaid card, debit card or credit card) that are subject to exchange fees under this regulation.
3. Card schemes and payment service providers should ensure that cards are not rejected on the basis of the identity of the issuer or cardholder.
4. Issuers must ensure that their payment instruments are electronically identifiable and, in the case of newly issued card-based payment instruments, also visually identifiable, enabling the payee and payers to identify without doubt which brands and categories of prepaid cards, debit cards, credit cards or commercial cards have been chosen by the payer. Article 21 Fee transparency
5. Each recipient must offer and charge service fees to the payee specified individually for different categories and brands of payment cards with different levels of exchange fees, unless the payee requests the recipient, in writing, to charge the service fees in a mixed manner.
6. Recipients must include in their agreements with the payees individually specified information on the amount of Merchant Service Fees, Exchange Fees and Scheme Fees applicable in respect of each category and brand of payment card, unless the payee then makes another written request. Article 22 Equipment for the use of electronic payment instruments
7. In the device in which EPI transactions are performed, or the visible environment around it, the logo shall be placed of the card operators accepted by this device.
8. The recipient places the device in such places where the holder, or a certain group of holders, can have free and secure access. Article 23

16 of 18 Personal identification number (PIN)

1. PIN is a personal number identifying each holder who makes use of the EPI. PIN is set by the issuer or by the client/card holder himself.
2. The issuer provides to each cardholder a PIN, which includes at least four digits identifying him/her. The PIN is delivered to the holder in a closed envelope at the moment of handing the card or through other forms, which allow for alternatives of delivering the PIN electronically.
3. The card can be used only with the PIN created especially for it, with the exception of contactless cards for certain values. If the holder forgets his/her PIN, the issuer shall generate a new PIN for that card, within the terms specified in the contract, or shall issue a new card with a new PIN.
4. The PIN can be used on the keyboard of any POS/EFTPOS terminal or ATM that accepts payment card, to carry out the transactions as specified in Article 17 of this Regulation. The mandatory use or not of PIN in POS/EFTPOS terminals depends on the type of issuer/recipient..
5. The holder may change his PIN through an ATM/POS terminal, to a new PIN, of which only he is aware, in cases where the issuer provides this service to him/her. Article 24 Ownership of the card and its return to the issuer
6. The card issued for use by the holder is under the ownership of the issuer.
7. After the expiration of the term specified in the contract for holding the payment card, the holder shall return the card to the issuer within the term specified in the contract if requested by the issuer. Article 25 Payment Settlement Payment settlement in Euro or other currencies performed through a payment card issued in the territory of Kosovo shall be done through international or local card companies and/or correspondent banks, in accordance with the bilateral or multilateral agreements, concluded between the issuer/recipient and international card companies. CHAPTER IV Reporting and protection of information when using an EPI Article 26 Reporting with CBK
8. The issuer and the recipient shall report to the CBK according to the Regulation in force and the format set forth in the payment instruments reporting methodology, the following information: 1.1. Number and type of the issued electronic payment instruments; 1.2. Number, type and value of the transactions performed with electronic payment instruments;

17 of 18 1.3. Number of merchants with whom the recipient has concluded a contract on the acceptance of payments with electronic payment instruments; 1.4. Number of ATM and POS/EFTPOS terminals they possess; 1.5. Recorded efforts on evading or violation of rules; and 1.6. Any other data required by the payment instruments reporting methodology. Article 27 Reporting methodology The CBK shall draft the payment instruments reporting methodology, aiming to collect information from the issuer, in the function of assessing and controlling the payment system, as well as for statistical purposes. Nevertheless, the CBK may still request, as needed, additional information as it deems necessary, in order to fulfil its monitoring responsibilities. Article 28 Personal data protection

1. The information related to the payment transactions is protected and handled according to the legislation in force and the issuer/recipient shall maintain and preserve the confidentiality of holder/merchant data related to the use/accepting of electronic payment instruments. This obligation is part of the contract between the parties.
2. Information transmitted at the moment of payment shall, in no case, violate the protection of personal data.
3. The issuer or recipient shall take the necessary measures so that no one other than him is able to read the holder’s personal data during the use of electronic payment instrument.
4. The personal information of the holder, regarding his actions, can be made public only in cases allowed and expressly defined by the legislation in force. CHAPTER V Final provisions Article 29 Applicability of requirements of the Regulation on Effective Interest Rate and Other Disclosure Requirements In addition to the requirements of this Regulation, the financial institutions shall, during the issuing and use of EPIs, apply all requirements of the Regulation on Effective Interest Rate and Disclosure Requirements, as well as the applicable legislation in relation to the financial products and services.

18 of 18 Article 30 Repeal With the entry into force of this regulation, the Regulation on Electronic Payment Instruments approved by the CBK Board on 26 December 2019 and any other provision that conflicts with this Regulation shall be repealed. Article 31 Remedial measures and civil penalties Any violation of the provisions of this Regulation shall be subject to remedial and punitive measures, as defined by the Law on the Central Bank of the Republic of Kosovo, the Law on Payment System and the Law on Banks, Microfinance Institutions, and Non-Bank Financial Institutions. Article 32 Entry into force This Regulation shall enter into force fifteen (15) days from the date of approval, with the exception of Articles 18, 19, 20 and 21 which enter into force on 1 January 2023, for the purpose of harmonizing the internal acts of financial institutions with the provisions of the mentioned Articles of this Regulation. Flamur Mrasori Chairman of the Board of the Central Bank of the Republic of Kosovo