Regulation 14/2023 on Carrying Out Activity and Supervision of Payment Institutions

R E P U B L I C O F A L B A N I A BANK OF ALBANIA SUPERVISORY COUNCIL 1 DECISION No. 14, dated 23.3.2023 ON THE APPROVAL OF REGULATION “ON CARRYING OUT OF ACTIVITY AND SUPERVISION OF PAYMENT INSTITUTIONS” In accordance with article 1, paragraph 4, letter “b”, article 12, letter “a” and article 43, letter “c” of the law no. 8269, dated 23.12.1997 “On the Bank of Albania”, as amended, and articles 10, 11, 12, 18, 19, 24 and 25 of the law no. 55/2020, dated 30.04.2020 “On payment services”; having regard to the proposal from the Supervision Department, the Supervisory Council of the Bank of Albania, D E C I D E D:

1. To approve the regulation “On carrying out of activity and supervision of payment institutions”, according to the decision attached herewith.
2. The payment institutions shall be responsible for the implementation of this Decision.
3. The Supervision Department shall be responsible for monitoring the implementation of this Decision.
4. The Governor's Office and the Research Department shall be responsible for the publication of this Decision, in the Official Journal of the Republic of Albania and in the Official Bulletin of the Bank of Albania, respectively. This decision shall enter into force 15 days after its publication in the Official Journal. SECRETARY CHAIR

ELVIS ÇIBUKU GENT SEJKO

2 CHAPTER I GENERAL PROVISIONS Article 1 Object The purpose of this regulation is to set out the rules for the carrying out of the activity of payment institutions and for the management of risks related to this activity, as well as their supervision. Article 2 Subjects Subjects of this regulation are payment institutions, as defined in point 13 of the article 5 of the law “On payment services”. Article 3 Legal ground This regulation is issued in accordance with article 1, paragraph 4, letter “b”, article 12, letter “a” and article 43, letter “c” of the law no. 8269, dated 23.12.1997 “On the Bank of Albania”, as amended and articles 10, 11, 12, 18, 19, 24 and 25 of the law no. 55/2020, dated 30.04.2020 “On payment services” (which hereinafter in this regulation shall be referred as the law “On payment services”). Article 4 Definitions

1. The terms used in this regulation shall have the same meaning with those defined in the law “On payment services”. For the purpose of this regulation, the following term shall have this meaning: a) “internal control system” – includes the process of monitoring and the ongoing evaluation of the effectiveness and adequacy of internal acts and controlling mechanisms within a given institution as well as the quality of its activities conducted by the responsible units of the institution, for the realization of the functions of the internal control system.

3 CHAPTER II GENERAL REQUIREMENTS FOR RISK MANAGEMENT AND SUPERVISION OF THE ACTIVITY OF PAYMENT INSTITUTIONS Article 5 General prudential rules

1. Payment institutions shall have administration and accounting procedures and sufficient internal control systems, on individual and consolidated basis, in accordance with this regulation.
2. Payment institutions shall not take deposits or other repayable funds from the public, withing the meaning of article 4 of the law “On banks in the Republic of Albania”.
3. Any funds received by payment institutions from payment services users, for the purpose of providing payment services shall not constitute either a monetary deposit or other repayable funds or electronic money, withing the meaning of article 4 of the law “On banks in the Republic of Albania”. Article 6 Other activities Payment institutions, in addition to providing the payment services listed in annex 1 of the law “On payment services”, may perform one or some of the activities provided for in article 19 of that law. CHAPTER III CORE PRINCIPLES AND RULES FOR A RESPONSIBLE AND EFFECTIVE MANAGEMENT AND INTERNAL CONTROL SYSTEM Article 7 General requirements Payment institutions establish rules, procedures and internal control systems related to the responsible and effective management, which shall be comprehensive and proportionate to the nature, volume and complexity of the activity and services provided by the payment institutions. Article 8 General management culture
4. Steering bodies of payment institution, in compliance with the tasks and obligations related to the management and control of the payment institution, shall get full and clear acquaintance with the risk profile of this institution, through determining and approving in advance, the

4 approach and risk tolerance, and ongoing monitoring for compliance with the latter, and shall ensure that capital levels are adequate to cover this risk. 2. Steering bodies of payment institution, through their way of management, shall encourage (stimulate) an adequate management culture, based on high professional standards and ethical values. 3. Steering bodies of payment institution shall take all measures to accomplish high ethical and professional standards for the payment institution’s management. Article 9 Risk management system

1. Payment institutions shall establish and develop risk management systems, related to the provision of payment services, conform to the nature, volume and complexity of their activities. Risks related to the activity of payment services, may include but not be limited to: a) settlement risk (the risk that the settlement of a payment transaction does not take place as expected); b) operational risk (the risk of financial loss resulting from inadequate or failed internal processes and systems, people or from external events); c) counterparty risk (the risk that the other party included in a transaction does not fulfil its obligations); d) liquidity risk (the risk that the payment institution has inadequate cash flows to meet financial obligations); e) market risk (risk resulting from movement in market prices); f) money laundering or terrorism financing risk (the risk that the payment institution or its services might be used for a purpose connected with money laundering or terrorism financing); g) foreign exchange risk (risk resulting from fluctuations in exchange rates).
2. Risk management system shall mean the set of policies, procedures, rules and structures of the payment institutions, which serve for the risk management.
3. The risk management system shall imply: a) the process of identification, measurement, monitoring, control and reporting of all the risk types within a payment institution, across all its activity (for the entire balance sheet, business lines, agents, etc); b) determining the functions of risk management structures that shall ensure: i. the identification of all the risks; ii. the assessment of all risks and measurement of the exposures towards them; iii. the monitoring of the risk exposure and determining the capital needs on an ongoing basis;

5 iv. the monitoring and evaluation of the decisions to accept certain risks, the measures for risk mitigation and the compliance of decisions of steering bodies on risk policies; v. reporting directly and independently to the steering bodies on all the above￾mentioned issues. Article 10 Internal audit function/unit

1. Payment institutions shall establish the internal audit function/unit, as part of the internal control system.
2. The internal audit function/unit is a separate organizational unit of the entity, independent from the activities, structures and individuals that it reviews or controls, that reports to the management/supervisory board and/or the audit committee of the entity.
3. The internal audit function/unit shall ensure, independently, the steering bodies on the quality and effectiveness of the internal audit of the entity, as well as the management/governance and risk management system and processes.
4. The internal audit function/unit shall implement international standards of internal control.
5. Payment institutions shall establish and approve internal acts for the functioning and carrying out the activity of this function/unit that shall be drafted and reviewed as frequently as deemed necessary.
6. The internal acts which define the manner of functioning and carrying out the activity of the internal audit function/unit, shall include at least the following elements: a) the scope and field of activity of the internal audit function/unit; b) the role, authority and responsibilities of the internal audit function/unit; c) the relations of the internal audit function/unit with other functions of the control system within the entity; d) the ways and lines of communication of the results of the auditing activities; e) the procedures for the coordination with the statutory auditor or the auditing company and the supervisory authority; f) the right for unlimited and unconditional use of any registration, file, database, physical assets of the payment institution, as well as every document of the steering bodies or organizational units, necessary for the carrying out of this function’s/unit’s functions; g) the right of the head of the internal audit function/unit to have direct communication with the steering bodies; h) the right of planning and determining controls independently; i) the assurance of avoidance of any conflict of interests in carrying out the duties of internal audit; j) the requirements for compliance with the internationally accepted standards of internal audit.

6 7. The frequency of the audit shall be based on the risk based evaluation of every field of activity and services and/or organizational unit of the payment institution. All the areas of activity and services and/or organizational units of the payment institution shall be subject to auditing by the internal audit function/unit, at least every three years, including also those activity and services and/or organizational unit with low risk, and also branches, agents and outsourcing contracts. 8. The internal audit function/unit shall prepare a report on any audit carried out, which shall include at a minimum: a) the audit object; b) description of the audit work (description of the methodology, steps and procedures followed so as to attain the audit targets, etc.); c) audit findings; d) comments by the managers of the audited organizational units on the audit findings; e) assessments on the qualifications of employees, adequacy of internal acts and risk assessment system, on a case by case basis; f) recommendations on correcting and improving findings that were observed during the audit session; and g) extent of implementation of recommendations proposed by previous audits. 9. The employees of the internal audit function/unit should have: a) high ethical and professional reputation; b) professional capability to implement international internal audit standards and auditing procedures and techniques in all of the operating areas of the payment institution; c) knowledge of and/or experience in implementing accounting standards; d) knowledge of risk management principles. 10. The internal audit function/unit shall be responsible to draft at every year’s end, the work plan for the following year, which shall be subject to approval by the steering bodies of the payment institution. 11. The internal audit function/unit presents an annual report on the work conducted by the unit to the steering bodies of the payment institution, which shall contain the following elements: a) a report on the level of implementation of the annual work plan of the internal audit function/unit; b) a list of all the activities planned and carried out by the internal audit function/unit; c) a list of all the activities conducted, but not planned in the annual work plan of the internal audit function/unit; d) a list of all the activities planned, but unrealized by the internal audit function/unit, along with the reasons for non-realization; e) a summary of the most important findings identified during audits; f) a general assessment of the adequacy and efficiency of the internal control system in the areas covered by the internal audit function/unit;

7 g) a general assessment of the adequacy and efficiency of the risk management system; h) a report on the extent of implementation of recommendations and corrective measures defined based on the recommendations, as well as the reasons for the lack of their implementation. Article 11 Compliance function

1. Payment institutions shall have an executive director, responsible for the identification, coordination and management of the compliance risk.
2. The compliance structure/unit is independent from the business lines and the internal units that controls and has the authority, reputation and sufficient resources.
3. The main responsibility of the structure/unit that fulfills the entity’s compliance function, is to assist the steering bodies of the payment institution for effectively managing compliance risk.
4. The compliance structure/unit shall advise the steering bodies of the payment institution, on compliance with laws, rules and standards, informing regularly on developments in the field and more specifically it performs the following tasks: a) educate and train the staff on compliance issues and act as a contact point within the entity for compliance-related queries or questions from staff members; b) establish written internal guidelines for the staff on the appropriate implementation of laws, regulations and standards through policies and procedures and other documents such as compliance manuals, internal codes of conduct and practical guidelines; c) identify, record and assess compliance risks associated with the operations of the payment institution, including new products and practices, proposed establishment of new types of business or customer relations, and material changes in the nature of such relations; d) assess the possible impact of any legal and regulatory change on the activity of payment institution and on the compliance framework; e) measure the compliance risk by using performance indicators (e.g. increased number of customer complaints, irregularities in payments, etc.) to enhance compliance risk assessment; f) assess the appropriateness of compliance procedures and regulations and the identified deficiencies, by formulating proposals for amendments; g) monitor, test and report results of the compliance adequacy testing in accordance with internal risk management system, identifying any changes in the compliance risk profile based on relevant performance indicators, identified breaches and/or deficiencies and corrective measures that have been taken; h) create an encouraging and suitable climate for the employees of the payment institution to communicate/signal non-compliance with the rules, procedures, operations, etc., ensuring at the same time, the confidentiality and protection for the employees.

8 5. The compliance structure/unit may accomplish other specific statutory functions in the framework of fulfilling legal obligations of the entity (such as anti-money laundering etc.), as well as liaise with the Bank of Albania and/or other financial supervisory authorities, external statutory auditors or the auditing company, etc. 6. The compliance structure/unit performs the duties specified in this regulation and in the payment institution’s regulatory acts under a compliance programme that sets out its planned activities, such as implementation and review of specific policies and procedures on compliance risk, compliance testing and assessment, as well as staff training and education on compliance matters. 7. The programme of the compliance structure/unit shall be risk-focused and subject to ongoing review to ensure appropriate coverage across all entity business/activity lines of payment institution and coordination among risk management functions. CHAPTER IV CAPITAL AND SAFEGUARDING REQUIREMENTS AND RISK MANAGEMENT SUBCHAPTER I CAPITAL ADEQUACY Article 12 General requirements for the capital of payment institution

1. The payment institution shall insure sufficient levels of capital, so as to exercise a stable and safe activity, as well as to fulfill its obligations during its business.
2. The regulatory capital of payment institution, at any time, shall not fall below the amount of minimum initial capital laid down in regulation “On the licencing of payment institutions and electronic money institutions and the registration of payment service providers”, or below the amount of regulatory capital requirements, calculated according to article 14 of this regulation, whichever amount is the higher.
3. In case the payment institution’s regulatory capital falls below the limits established in paragraph 2 of this article, the institution reports immediately to the Bank of Albania, which defines the necessary measures and time to comply with the limits.
4. In the case when the payment institution grants credit relating to payment services, the total amount of credit granted does not in any case negatively affect the regulatory capital and the fulfillment of the supervisory requirements of the Bank of Albania.
5. On the basis of an evaluation of the risk-management processes, of the risk loss databases and internal control mechanisms of the payment institution, Bank of Albania may require at any time an additional amount of capital, up to 20 % (twenty percent) higher than the amount of regulatory capital requirements calculated according to article 14 of this regulation.

9 Article 13 Elements of payment institution’s regulatory capital

1. Payment institutions shall calculate their regulatory capital as the sum of Tier 1 capital and Tier 2 capital. Tier 1 capital is the sum of Common Equity Tier 1 and Additional Tier 1 capital.
2. Payment institutions shall include in the calculation of regulatory capital the following items: a) Common Equity Tier 1 items referred to in article 6 of regulation “On the bank’s regulatory capital”, after the application of the prudential filters provisioned in subchapter II of chapter II of that regulation, and the deductions and exemptions laid down in articles 11, paragraph 1, letters “a” to “i” and article 20 of the same regulation. For deductions and exemptions laid down in articles 11 and 20 of the regulation “On the bank’s regulatory capital”, the payment institutions apply the requirements provided for in articles 12-13 and 15-20 of that regulation; b) Additional Tier 1 capital items referred to in article 21 of regulation “On the bank’s regulatory capital”, after the deduction of the items referred to in article 25 of the same regulation. For additional tier 1 items and deductions from additional tier 1 capital, payment institutions apply the requirements provided for in articles 22-24 and 26-29 of the regulation “On the bank’s regulatory capital”; c) Tier 2 capital items referred to in article 30 of regulation “On the bank’s regulatory capital”, after the deductions referred to in article 33 of the same regulation. For tier 2 capital items and deductions from tier 2 capital, payment institutions apply the requirements provided for in articles 31-32 and 34-37 of the regulation “On the bank’s regulatory capital”.
3. Payment institutions, for the purpose of regulatory capital calculation, shall ensure the fulfillment of following limits: a) at least 75% of Tier 1 capital must be held as Common Equity Tier 1 capital; and b) Tier 2 capital comprises not more than 33.3% of Tier 1 capital.
4. Payment institutions shall not include in the regulatory capital calculation, any items included in the regulatory capital calculation of another entity, which is part of the same financial/banking group with the payment institution.
5. Payment institution, which performs business activities other than the provision of payment services, as provided in article 19, paragraph 1, letter “c” of the law “On payment services” shall not include in its regulatory capital calculation, any items used in carrying out the other activities.

10 SUBCHAPTER II CALCULATION OF REGULATORY CAPITAL REQUIREMENTS Article 14 Calculation method of regulatory capital requirements of payment institution

1. The payment institution shall calculate the regulatory capital requirements, mandatory to be held by it at all times, according to the rules provisioned in this article.
2. The regulatory capital requirements of the payment institution shall be calculated in accordance with the following rules: a) the regulatory capital requirements of the payment institution shall amount to at least the sum of the following elements, multiplied by the scaling factor k defined in letter “b” of this paragraph: i. 4,0 % of the slice of PV up to the equivalent amount in lek of €5 million; plus ii. 2,5% of the slice of PV above the equivalent amount in lek of €5 million up to €10 million; plus iii. 1% of the slice of PV above the equivalent amount in lek of €10 million up to €100 million; plus iv. 0,5% of the slice of PV above the equivalent amount in lek of €100 million up to €250 million; plus v. 0,25% of PV above the equivalent amount in lek of €250 million. where, PV is the payment volume, representing one twelfth of the total amount of payment transactions executed by the payment institution in the preceding year; b) the scaling factor k provisioned in letter “a” of this paragraph, shall be: a) 0,5 where the payment institution provides only the payment service as referred to in point 6 of Annex 1 of the law “On payment services”; b) 1 where the payment institution provides any of the payment services as referred to in points 1 to 5 of Annex 1 of the law “On payment services”.
3. Payment institutions that provide only the payment services as referred to in point 7 or 8, or both, of annex 1 of the law “On payment services”, are excluded from regulatory capital requirements foreseen in paragraph 2 of this article.
4. In cases where the payment institution, which on the date of calculation of the regulatory capital requirement has not completed a whole financial year of business, the payment volume foreseen in paragraph 2 of this article, shall be calculated based on the data provided in the business plan submitted in the moment of granting the license, subject to any adjustment to that plan proposed by the Bank of Albania (if applicable).
5. Payment institutions which grant credit relating to payment services in accordance with the requirements of article 19, paragraphs 4 and 6 of the law “On payment services” shall calculate

11 a regulatory capital requirement for credit risk, at least 6% (six percent) of the outstanding amount of disbursed loans, excluding payment transactions with credit cards. 6. Payment institutions shall hold at any time a capital amount, of at least equal to the amount of the capital requirement for payment services and the capital requirement for credit risk (where applicable). SUBCHAPTER III FUNDS’ SAFEGUARDING Article 15 Safeguarding the funds of payment institutions’ clients

1. The payment institution ensures that the funds of the payment services users are kept in separate accounting accounts, separated from other accounts of the institution that are not related to the payment services.
2. The payment institution that provides payment services according to items 1 to 6 of annex 1 of the law “On payment services”, safeguards all the funds received from payment services users or through other providers of payment services, for carrying out of payment transactions, in accordance with the requirements of article 12 of the law “On payment services” and in one of the forms provided for in letter “a” or in letter “b” of paragraph 1 of article 12 of the law “On payment services”.
3. For the purpose of implementing paragraph 1, letter “a” of article 12 of the law “On payment services”, “secure low-risk and liquid assets” of a payment institution shall be considered: a) debt securities issued or guaranteed by Albanian government, by central governments and central banks, by international organisations, by multilateral development banks or regional governments or local authorities, which are assigned a credit quality step “1” or which would receive a 0% risk weight under the regulation “On capital adequacy ratio”; b) debt securities issued or guaranteed by Albanian government, by central governments and central banks, by international organisations, multilateral development banks or regional governments or local authorities, which are assigned a credit quality step “2” or “3”, under the regulation “On capital adequacy ratio”; c) debt securities issued by the supervised institutions, which are assigned a credit quality step “1” or “2”, or debt securities issued by supervised institutions, which are assigned a credit quality step “3”, but which are treated according to the requirements of article 17/2, paragraph 3 of the regulation “On the capital adequacy ratio”; d) debt securities issued by corporates, which are assigned a credit quality step “1” or “2” under the regulation “On capital adequacy ratio”; e) units in collective investment undertakings in transferable securities (UCITS), which invest solely in assets as specified in the letters “a” to “d” of this paragraph.

12 4. The insurance policy or the guarantee provided for in letter “b” of paragraph 1 of article 12 of the law “On payment services”, must be payable, in case the payment institution is unable to fulfill its financial obligations to the payment services users, according to the causes/events (triggers) that activate their implementation and which are defined, respectively, in the insurance contract or in the guarantee contract. The insurance policy or guarantee does not have any clause on the franchise, deductible or threshold that may affect the disbursement of payments to the beneficiaries or any other payment service provider. 5. Payment institutions shall notify the Bank of Albania, in advance of any significant changes in the measures taken by them, for the safeguarding of the funds of payment services users. Article 16 Diversification of funds’ safeguarding

1. Payment institutions that safeguard funds of payment services users, as referred to in article 12, paragraph 1, letter “a” of the law “On payment services”, shall invest clients’ funds in diversified ways, in different counterparties.
2. The payment institution, in its decision-making for the ways of safeguarding funds according to the provisions of article 15 of this regulation, may also consider the following elements: a) the level of capital of the bank and/or insurance company, which should be proportionate to the amount of relevant funds deposited in accounts, or guaranteed or insured; b) the level of risk accompanying the lending activity or investments undertaken by the bank and/or insurance company.
3. The payment institution shall document its decision-making, according to the provision of paragraph 2 of this article. Article 17 Professional indemnity insurance and other comparable guarantees Payment institutions that provide payment services according to points 7, 8 or both (7 and 8) of annex 1 of the law “On payment services”, shall hold a professional indemnity insurance or other comparable guarantees, in accordance with the requirements of the guideline “On the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantees”.

13 SUBCHAPTER IV EXPOSURES TO RISK AND LIMITS Article 18 Allowable open foreign exchange position

1. The open foreign exchange position in a certain foreign currency represents the equivalent amount in lek (ALL) of the difference between total rights and liabilities of the payment institution, denominated in that foreign currency.
2. Payment institutions must not exceed, at the closure of every business day, the following limits regarding the open foreign exchange positions: a) the open foreign exchange position ratio for an individual currency to regulatory capital should not be higher than 30% (thirty per cent); and b) the open foreign exchange position ratio for all currencies to regulatory capital should not be higher than 40% (forty per cent).
3. Payment institutions, in calculating the open foreign exchange position do not include the structural foreign exchange position, which is created by: a) elements (balance sheet and off-balance sheet items), which are not of the nature of the main financial activity (business) of the subject and/or are sustainable/long term elements, as: “participating interests”; “investments in affiliates”, “intangible and tangible fixed assets”, etc.; b) transactions of the payment institution which maintain the regulatory capital requirement levels, in case the indicator is affected by the volatilities in the exchange rate. Article 19 Liquidity risk
4. Liquidity risk is the possibility of financial loss due to liquid assets shortfalls, to meet the obligations as they come due or are claimed, and/or when the payment institution is not able to fund increases in its assets.
5. Payment institutions shall establish the liquidity risk management system, which aims the management of liquidity risk. This system should minimally include the strategies and policies related to the management of liquidity risk, organisational structure established for the management of liquidity risk, the internal control system, information management system, etc.
6. Payment institutions shall ensure that the liquidity risk management system, from qualitative and quantitative perspective, is in line with the size of the institution, typology of its activity and exposure level to liquidity risk.

14 Article 20 Credit granting related to payment services

1. Payment institutions may grant credit related to payment services, provisioned in points 4 or 5 of annex 1 of the law “On payment services”, as foreseen in article 19 of that law, only if all the following conditions are met: a) payment institutions should establish and approve internal regulations for credit risk management by providing requirements for each step of this process, including preliminary financial analysis, disbursement, monitoring, review of credit lines, etc.; b) credit shall facilitate and be granted exclusively in connection with the executing of a payment transaction. To ensure compliance with this condition, payment institutions shall adopt systems and procedures to monitor financing process and shall provide internal control mechanisms; c) payment institutions shall not grant credit from funds received or held by payment services users, for the purpose of executing a payment transaction, which (funds) they safeguard in accordance with article 15 of this regulation, but the credit shall be granted by own funds of the payment institution; d) credit is short-term and should be repaid within a period not longer than 12 (twelve) months. Exception to this rule may be the term of financing provided in connection to credit card payments, which may last more than 12 months; e) payment institutions shall meet the regulatory capital requirements set out in article 14 of this regulation, that include capital requirements for credit risk arising from these credits. CHAPTER V ACCOUNTING, STATUTORY AUDIT AND REPORTING REQUIREMENTS FOR PAYMENT INSTITUTIONS Article 21 Accounting and financial reports
2. Payment institutions shall maintain accounts and prepare financial reports, to reflect their financial position accurately and in accordance with the accounting rules and principles, on individual and consolidated basis, in accordance with the legislation in force on accounting and financial statements.
3. When payment institution performs other activities, besides providing payment services, according to article 19 of the law “On payment services”, for supervisory purposes, shall keep separate accounting information on these activities, which must be part of statutory auditor’s report.

15 Article 22 Statutory audit

1. Annual accounts and consolidated accounts of payment institutions shall be audited by the statutory auditor or auditing companies, pursuant to the legislation in force on accounting and financial statements and the legislation on statutory audit, organization of the professions of statutory auditor and certified accountant.
2. Obligations set out in the legislation in force on banks and in the respective by-laws of the Bank of Albania on statutory auditor of the banks, shall be applied in the same manner for statutory auditors or the auditing companies of payment institutions, in respect of payment services activities. Article 23 Reporting to the Bank of Albania
3. Payment institutions shall report to the Bank of Albania in line with the requirements set out in the sublegal acts for unified reporting system for these entities.
4. Payment institutions shall submit to the Bank of Albania, within the first half of the succeeding year, a copy of the annual report and a copy of the statutory auditor’s opinion, reflecting the financial and accounting position on individual and consolidated basis.
5. Payment institutionsshall report immediately to the Bank of Albania, for any case of exceeding the allowed supervisory limits according to the provisions of this regulation. Bank of Albania shall set out and inform the payment institution on the time and the needed measures, to restore the indicators within the allowed limits. CHAPTER VI SUPERVISION, BREACHES AND SANCTIONS Article 24 Penalizing and supervisory measures The Bank of Albania, in case of non-fulfillment of the provisions of this regulation, applies the supervisory and/or penalizing measures provided in article 25 and in Title V, Chapter I of the law “On payment services”. CHAIRMAN OF SUPERVISORY COUNCIL Gent SEJKO