Regulation on Licensing, Regulation and Supervision of Payment System Operators

1 of 24 Based on Article 35, paragraph 1, sub-paragraph 1.1, and Article 65 of the Law No. 03/L-209 on Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/16 August 2010),, and Article 8, paragraph 1, sub-paragraph 1.1 of the Law No. 04/L-155 on Payment System (Official Gazette of the Republic of Kosovo, No. 12/03 May 2013), the Board of the Central Bank of the Republic of Kosovo in its meeting held on 24 June 2019, approved the following: REGULATION ON LICENCING, REGULATION AND SUPERVISION OF PAYMENT SYSTEM OPERATORS CHAPTER I GENERAL PROVISIONS Article 1 Purpose and scope

1. The purpose of this Regulation is to establish the terms, requirements and procedures for the licensing of payment system operators to operate in Kosovo.
2. In order to ensure the stability, efficiency and security of the payment system, this Regulation lays down the conditions and standards applicable to the activity of payment system operators.
3. This Regulation also defines the means and procedures under which the CBK will exercise its regulatory and supervisory powers.
4. This Regulation shall apply to all persons applying to the CBK for licensing as payment system operators and any payment system operator currently operating in Kosovo. Article 2 Definitions
5. All terms in this Regulation shall have the meaning as defined in Article 2 of Law No. 04/L-155 on Payment System and/or as set out below for the purposes of this Regulation: 1.1. CBK – means the Central Bank of the Republic of Kosovo;

2 of 24 1.2. Director – means any person appointed by the shareholders to serve as a member of the Board of Directors of the payment system operator. 1.3. Independent director - means a director who is not a shareholder and is independent of senior management or individuals associated with senior management. A related individual for purposes of this paragraph means any individual having at least one of the following relationships with the payment system operator: 1.3.1. any senior manager; 1.3.2. any person who is related to the senior manager by marriage or proximity up to the second degree. 1.4. Senior manager – means the chief executive officer, chief financial officer, chief operations officer, chief risk officer, and any person who: 1.4.1. reports directly to the board or participates or has the authority to participate in the main policy-making functions of the payment system operator, and/or 1.4.2. has been appointed as a senior manager by the CBK. 1.5. Participants – means the party that is defined/recognized in the payment system operator's rules as an acceptable party for exchanging, clearing and settlement through the payment system with other direct or indirect participants. A direct participant is a participant in a system that is responsible for repaying his own payments, of his customers and of indirect participants on whose behalf he operates. 1.6. System operator – means the entity that is responsible for operating and/or managing a payment system, clearing or repayment of securities. 1.7. Payment system or system– means the payment system operator. CHAPTER II LICENSING OF PAYMENT SYSTEM OPERATORS Article 3 Licensing principles

1. As defined in the Law on Payment System, no person may operate as a payment system operator without prior licensing by the CBK according to the provisions of the Law on Payment System and this Regulation.
2. The CBK is the sole authority responsible for licensing payment system operators.
3. The requirements for the licensing of payment system operators set out in this Regulation shall not apply to payment systems which are managed by the CBK.

3 of 24 Article 4 Payment system operators

1. A payment system operator is a legal entity registered under the Law on Business Organizations, licensed by the CBK under the provisions of the Law on Payment System and this Regulation, to operate and manage a payment system in the Republic of Kosovo.
2. Only the following entities may be payment system operators: 2.1. CBK; 2.2. Banks licensed by the CBK; 2.3. NBFIs registered by the CBK for exercising the activity of issuing electronic money and/or payment service; and 2.4. Joint Stock Companies or Limited Liability Companies established under the Law on Business Organizations in the Republic of Kosovo and licensed by the CBK for this purpose. Article 5 Settlement agent Only the CBK or a bank licensed by the CBK to operate in Kosovo may act as settlement agents. Article 6 Payment system participants
3. The following entities may be payment system participants: 1.1. CBK; 1.2. Banks licensed by the CBK; 1.3. NBFIs registered by the CBK for exercising the activity of issuing electronic money and/or payment service; 1.4. Governmental institutions; 1.5. Pension funds; and 1.6. Operators of other financial market infrastructure licensed or managed by the CBK.
4. The entities referred to in paragraph 1 of this Article may be direct or indirect participants in the payment system.

4 of 24 Article 7 Conditions for participation in the payment system

1. The rules governing the participants’ access to payment systems to be set out in the payment system rules by operators shall be objective, non-discriminatory, proportionate and shall not prevent access more than required for protecting the system from specific risks such as repayment risk, operational risk and business risk, and for ensuring the financial and operational stability of the payment system.
2. Payment systems should not impose on any participant, payment service user or other payment system any of the following requirements: 2.1. Restrictions on participation in other payment systems; 2.2. Restrictions based on their institutional status;
3. The provisions of paragraphs 1 and 2 of this Article shall not apply to: 3.1. Payment systems determined by the CBK as of systemic importance; 3.2. Payment systems consisting exclusively of participants belonging to a group.
4. For the purposes of sub-paragraph 2.1 of paragraph 2 of this Article and when paragraph 3 of this Article applies, if a participant in a particular system allows a payment service provider who is not a participant in the system to pass a transfer order through the system, the participant shall provide the same opportunity in an objective, proportionate and non-discriminatory manner to other payment service providers in accordance with paragraphs 1 and 2 of this Article. Article 8 Capital requirements
5. The payment system operator shall have sufficient financial resources for the proper exercise of its functions and to ensure the safe, sustainable and efficient operation of the relevant system;
6. The minimum amount of capital required for licensing and maintained for payment system operators is two hundred thousand (200,000) Euros.
7. In addition to the charter capital set out in paragraph 2 of this Article, the payment system operator shall also have an additional fund for initial costs to cover the establishment, operation and administration costs, which in any case shall not be less than twenty percent (20%) of the charter capital set out in paragraph 2 of this Article.
8. The payment system operator shall be obliged to keep at least 50% of the capital specified in paragraph 2 of this Article in cash blocked as a time deposit on a bank account at the banks licensed by the CBK.

5 of 24 5. In order to meet the obligations of the payment system operator, the time deposit according to paragraph 4 of this Article shall be in a form acceptable to the CBK and shall determine the CBK as the sole beneficiary, which shall be executed only in the event of liquidation of the payment system operator with prior approval by the CBK. 6. Payment of capital under paragraphs 2 and 3 of this Article and any subsequent addition thereto shall be made in cash and accompanied by submission to the CBK of information regarding the source of such capital and the bank document certifying the payment of the capital, as defined in Article 9, paragraph 3, sub-paragraphs 3.3 and 3.4, of this Regulation. 7. The CBK shall have the right to request clarifications and to make further verifications regarding the source of fundraising which will serve as initial capital or subsequent addition. 8. The sources of capital funds must be legitimate and should not derive from loans from public loans, credits and/or other funds the origin of which is unlawful. Article 9 Application for licensing to operate a payment system

1. Entities that intend to establish a payment system operator must submit to the CBK an application to be licensed as a payment system operator.
2. The application shall be signed by the shareholder(s) or their legal representative and submitted to the CBK in the physical presence of the shareholder or the representative of the proposed shareholder(s) of the payment system operator. The application must be accompanied with the full documentation required by the Law on Payment Systems and this Regulation.
3. The request for licensing as the payment system operator shall be in written form accompanied by forms specified by the CBK and shall include the following documentation/information: 3.1. Applicant's documents (statute and/or founding act); 3.2. Business registration certificate; 3.3. List of shareholders and beneficiary shareholders of the applicant, specifying the name, nationality, address, business history for the last ten (10) years and the respective stockholding of the shares together with the following documentation (for the main shareholders): 3.3.1. For shareholders organized as a business organization (legal persons and/or natural persons) under the Law on Business Organizations: 3.3.1.1. statute and business registration documentation (for foreign legal persons – legally equivalent acts according to foreign law/jurisdiction); 3.3.1.2. the decision of the decision-making body of a legal person and/or natural persons organized as a commercial company for participation in capital; 3.3.2. For natural persons not organized as a business organization:

6 of 24 3.3.2.1. the proposed shareholder’s identity document issued by the state of citizenship and the exact address of the place of residence; and 3.3.2.2. the list of businesses in which he participates, business registration certificates for each case and data on any case of insolvency and/or bankruptcy; 3.3.3. the following certificates issued by competent authorities under the jurisdiction in the shareholder’s place of residence: 3.3.3.1. that the person is not under criminal prosecution; 3.3.3.2. that the person is not in trial for criminal offenses; 3.3.3.3. that the person is not criminally convicted; 3.3.3.4. from the Chamber of Private Bailiffs, that the person is not in the process of compulsory execution for unpaid asset liabilities. 3.3.3.5. that the person has no personal bankruptcy files, disqualification from the exercise of the profession or past or present involvement in the management function of any corporation or other entrepreneurial body that has been subject to insolvency proceedings; 3.3.3.6. consent/authorization that allows the CBK to verify the past criminal record and obtain other information regarding the provided information; 3.3.3.7. the documents required under this paragraph must be issued no earlier than 3 (three) months from the date of application to the CBK. 3.4. The amount of the applicant's pledged capital, including proof of payment and documentation of its source: 3.4.1. a notarized declaration of shareholders on the source of paid-in capital and that the source of this capital is not a loan from the public, credit and/or other funds the origin of which is illegitimate; 3.4.2. 3.4.2. for shareholders who are legal persons and/or natural persons organized as a company, notarized declaration of shareholders on the source of initial paid-in capital and any additions thereto during the performance of the activity, accompanied by the following documentation: 3.4.2.1. evidence of the source of capital formation, such as the report of the independent external auditor, annual financial statements, gifts or other resources intended for use in the purchase of the applicant's shares; 3.4.2.2. a certificate issued by the competent authorities, which provides data on the balance of the legal entity and the fulfilment of tax liabilities; 3.4.3. for shareholders who are natural persons, notarized declaration of shareholders on the source of initial paid-in capital and any additions thereto during the performance of the activity, accompanied by the following documentation:

7 of 24 3.4.3.1. evidence of the source of the creation of capital as a purchase or sale, gifts, wages, bank deposits in banks or other receipts for the source of capital formation; 3.4.3.2. certificates attesting to the fulfilment of tax liabilities; 3.4.3.3. contributions to the capital of the payment system operator should not derive from funds borrowed from the public, bank loans and other funds the origin of which is illegal. 3.4.4. proof from the bank that the entity has paid/blocked, in an account near it, the required amount of capital. 3.5. Business plan for the first 5 (five) years of payment system operation showing the ability of the entity to meet organizational, technical, personnel and other requirements for the purpose of safe operation of the payment system. The business plan should refer to the data on the payment system operator's planned activities and should include: 3.5.1. a business development plan and economic activity concept that should be based on realistic assessments and justify the entity's ability to use technical and financial resources as well as systems and procedures in a manner that ensures a normal functioning and sustainable activity for which the entity seeks to be licensed; 3.5.2. a forecast of the financial standing of the applicant to be licensed as a payment system operator for the first 5 (five) years of his/her activity after licensing (foreseen financial statements); 3.5.3. an analysis of the risks to which the entity and/or the participants are exposed or may be exposed in the future, the principles and measures for risk management; 3.5.4. a description of the technical equipment and resources necessary to carry out the activity, including appropriate computer, information, accounting and registration systems; 3.5.5. information on the location where the entity envisages to perform its activities, related equipment, and security measures for their storage; and 3.5.6. a description of the organizational structure. 3.6. Proposal for payment system rules set out in the Law on Payment System and Article 10 of this Regulation. 3.7. Contract on system participation between the operator and the payment system participant whereby the participant accepts the operational conditions of that system, which produces a legal effect when the system operator obtains a license from the CBK or a draft contract stating that the parties will enter into a contract immediately after the system operator is licensed by the CBK. 3.8. Description of the internal governance and control system and of risk management.

8 of 24 3.9. Name, nationality, place of residence, qualifications and experience of the director or senior manager of the payment system operator, which shall be accompanied by the following documentation: 3.9.1. the decision-making body’s decision on appointment; 3.9.2. identification document; 3.9.3. proof of university education; 3.9.4. the following certificates issued by competent authorities under the jurisdiction of the place of residence for directors, senior managers and (if applicable) legal representatives: 3.9.4.1. that the person is not under criminal prosecution; 3.9.4.2. that the person is not in trial for criminal offenses; 3.9.4.3. that the person is not criminally convicted; 3.9.4.4. from the Chamber of Private Bailiffs, that the person is not in the process of compulsory execution for unpaid asset obligations; 3.9.4.5. that the person has no personal bankruptcy files, disqualification from the exercise of the profession or past or present involvement in the management function of any corporation or other entrepreneurial body that has been subject to insolvency proceedings; 3.9.4.6. certificates attesting to the fulfilment of tax liabilities’ 3.9.4.7. consent/authorization allowing the CBK to verify the criminal record and obtain other information regarding the information submitted; 3.9.4.8. the documents required under this paragraph must be issued no earlier than 3 (three) months from the date of application to the CBK. 3.10. Schedule of planned fees for the delivery of products and services; 3.11. Proof of payment of the application fee; 3.12. Additional information as considered reasonable by the CBK. Article 10 Rules of payment system management

1. The management rules of the payment system operator include: 1.1. Potential participants in the payment system based on the activity they perform; 1.2. Conditions for participation in the payment system; 1.3. Organizational structure and key responsibilities for each organizational function or unit;

9 of 24 1.4. Systems and procedures for identifying, managing, controlling and reporting risks to which the system operator or participants are exposed or may be exposed in the future; 1.5. Internal audit systems and mechanisms, administrative and accounting procedures, which include methods and means of effective risk monitoring and control, including the risk of using the system for money laundering and terrorist financing; 1.6. Measures that ensure the continuity and sustainability of the provision of system services; 1.7. Procedures and measures for avoiding or resolving potential conflicts of interest that may arise during the performance of the activity; 1.8. Description of the information system organization and management, including the manner of storing and protecting personal information and data of participants or interested entities to be included in the system; 1.9. System operation rules; 1.10. Contract or draft contract with the participants according to Article 9 paragraph 3.7 of this Regulation, which contains the general rules and standard procedures for the clearing and/or execution of transfers. The applicant must submit at least three contracts or draft contracts signed with three participants; 1.11. General criteria for the admission, exclusion and supervision of participants, as well as the rights and obligations of the parties; 1.12. Appointment of the settlement agent and the manner of guaranteeing the irrevocability of the transfer order; 1.13. The receipt manner and the form and structure of the transfer order; 1.14. The receipt manner and the form and structure of information for transactions in settlement accounts; 1.15. Time limits for the receipt of a transfer order and definition of the moment when a transfer order is considered to be entered into the payment system; 1.16. Determination of the moment when a transfer order is considered irrevocable by the payment system; 1.17. Methods guaranteeing the funds for settlement of accepted transfer orders received in the system; 1.18. Any other rule that may be required by the CBK. Article 11 Application review procedures and deadlines

1. The CBK shall, within 90 days of receipt of the application, review the received documentation and notify the applicant in writing whether the documentation is complete.
2. If the submitted documentation is incomplete and/or does not meet the requirements set out in this Regulation, the CBK shall notify the applicant of any deficiencies or non-compliance with the provisions of this Regulation together with the request for additional information or documents if

10 of 24 required. The deadline for submitting additional information or documents is no later than 90 days from the date of notification under this paragraph. 3. If the requested additional information or documents under paragraph 2 of this Article are filed within the deadline, the CBK shall notify the party that the application is complete. 4. CBK shall interrupt the review procedure concerning an application for licensing if the data and/or documentation required for licensing is not completed by the applicant within 90 days from the date of notification under paragraph 2 of this Article. In case of interruption of the review procedure concerning an application for licensing, the CBK shall notify the applicant thereof in writing. 5. The CBK shall issue a decision approving or refusing the licensing as a payment system operator within 90 days from the date of the applicant's notification that the licensing application is complete. The CBK shall inform the applicant in writing of the taken decision. By mutual agreement between the CBK and the applicant, the period for making the decision under this sub￾paragraph may be extended up to 90 other days. 6. During the review period of the application, the CBK may request additional information or certain changes/improvements when deemed reasonable. 7. The CBK may inspect the offices where the operator’s activity is to be conducted in order to verify the fulfilment of the conditions for its exercise. Article 12 Requirements for licence approval or refusal

1. The CBK shall decide on the approval of a license only when it establishes that the payment system operator meets the conditions and criteria set forth in the Law on Payment System and in this Regulation.
2. The CBK shall refuse the approval of a license when the criteria and conditions set forth in the Law on Payment System and this Regulation are not met and if false information is given in the application.
3. The CBK shall, within 15 (fifteen) working days from the date of issuing the decision, notify the entity on the decision to grant the license or inform it it in writing of the refusal to grant it, accompanied by the respective justifications.
4. In the event of a license refusal by the CBK, the applicant shall have the right to re-submit the application for licensing as a payment system operator. Article 13 Characteristics of the licence
5. The license is approved for an indefinite period of time and is not transferable.
6. The payment system operator shall start operation within 12 (twelve) months from the date of notification of the licensing. If it do not commence its activity within this time, the license shall become invalid. The payment system operator may reapply for licensing.

11 of 24 3. The license certificate for payment system operators shall be issued in accordance with the Regulation on Issuance of Licensing Certificates or Registration of Financial Institutions. 4. Payment system operators shall, prior to commencement of activities, notify the CBK of the preparations made and of the readiness to commence with the exercise of the activity, the creation of adequate space and infrastructure to carry out the activity, including installation of the information technology operating system. Article 14 Fee for application and supervision

1. The entity applying for a payment system operator license shall pay the application fee in the amount determined by the CBK. The paid fee shall not be refunded even if the application for registration is refused.
2. After licensing from the CBK, the payment system operator shall pay a supervision fee in the amounts determined by the CBK for non-bank financial institutions that carry out payment transaction activities. Article 15 Register
3. The CBK shall maintain a public register of licensed payment system operators.
4. The register shall contain the following information: 2.1. Name, headquarters address and contact details; 2.2. The license number issued by the CBK; 2.3. Unique Identification Number; 2.4. Activities for which the operator is licensed; 2.5. Revocation of a issued license or termination of business activities.
5. The register referred to in the preceding paragraphs shall be open to the public and shall be updated on a regular basis. Article 16 Licence revocation or suspension
6. The CBK may revoke or suspend a licence if the payment system operator: 1.1. has not commenced service delivery within twelve (12) months after the date of licensing; 1.2. has terminated the provision of the service for a period of over one (1) month; 1.3. has obtained the license through false statements or any other irregular means; 1.4. does not apply the applicable license terms on a continuous basis; 1.5. there are reliable data that senior shareholders, directors and/or managers are involved in money laundering or terrorist financing activities;

12 of 24 1.6. has violated any legal provision, any order or regulation of the CBK or any condition or restriction related to a license issued by the CBK even after the CBK's notice; 1.7. fails to implement the order issued by the CBK in accordance with the Law on Payment System; 1.8. enters into liquidation procedure; 1.9. 1endangers the financial system in Kosovo; 1.10. is no longer in the public interest or in the interests of system participants; 1.11. does not provide assurance to participants for the performance of a secure payment service; 1.12. requests revocation or suspension of the license, where in case of suspension the CBK shall by decision determine the term of the suspension. 2. The payment system operator's license shall be revoked by a decision of the CBK if it is assessed that the payment system operator is non-solvent or reasonably expected to become non-solvent. 3. For the purposes of this Article, “non-solvent” means that the payment system operator is not paying its liabilities or the value of the payment system operator's liabilities exceeds the value of its means. The value of assets, liabilities and capital of payment system operators is determined in accordance with the valuation standards and procedures established by the CBK. 4. Immediately upon the decision to revoke or suspend the license, the CBK shall notify the concerned system operator and publish the notification in a manner deemed appropriate by the CBK. CHAPTER III TRANSACTIONS REQUIRING PRIOR APPROVAL Article 17 Prior approvals

1. Transactions of payment system operators requiring prior approval by the CBK are as follows: 1.1. changes to the founding document and/or statute; 1.2. merging/appropriation or division; 1.3. increase of share capital; 1.4. reduction of share capital; 1.5. all transactions and actions related to share capital that result in the change of the list of shareholders who hold ten percent (10%) or more of the share capital and/or voting rights in the payment system operator; 1.6. appointment of directors and senior managers; 1.7. external auditor; 1.8. change of payment system rules; 1.9. subcontracting of activities; 1.10. distribution of dividends.

13 of 24 2. The CBK shall approve or reject, in a justified manner, the request for prior approval provided for in paragraph 1 of this Article within thirty (30) days of the complete request submission based on the documentation referred to in Article 18 of this Regulation. Article 18 Request on documentation for prior approvals

1. The system operator shall, in order to obtain prior approvals for the transactions referred to in Article 17, paragraph 1, of this Regulation, submit a written request to the CBK accompanied by the following documentation: 1.1. For changes to the founding document and/or statute: 1.1.1. decision of the decision-making body; 1.1.2. amended founding document and/or charter; and 1.1.3. written justification for amending the founding document and/or statute. 1.2. for increase of share capital: 1.2.1. if the increase of share capital is made from its internal resources: 1.2.1.1. statement regarding the source of capital increase; 1.2.1.2. report of the payment system operator’s external auditor for the previous year; and 1.2.1.3. financial statements of the last period reported to the CBK, which certify the adequacy of these resources within NBFI's capital structure. 1.2.2. if the increase of share capital is made from its external sources, the requirements of Article 9, paragraphs 3.3 and 3.4, of this Regulation shall apply. 1.3. for reduction of share capital: 1.3.1. decision of the decision-making body; 1.3.2. external auditor's report for the previous year; 1.3.3. a description of the impact of such change on capital requirements under this Regulation; 1.3.4. financial statements presenting the financial standing if this transaction were to be implemented; and 1.3.5. written justification for the reduction of share capital. 1.4. for changing the ownership of the shareholders holding ten percent (10%) or more of the share capital and/or voting rights: 1.4.1. report of the shareholding company for shareholders organized as a company or CVs of individual shareholders according to the format of the CBK; 1.4.2. name, nationality, place of residence and business and professional history for the last ten (10) years of the applicant and any beneficial owner of the applicant who would, as a result of the transaction, indirectly benefit five percent (5%) or more of the capital

14 of 24 interests and the information/documentation required under Article 9, paragraph 3.3, of this Regulation; 1.4.3. the list of business organization in which the proposed owners, including the beneficial owners (as described above), are participants, specifying the level of such participation and registered addresses of these companies; 1.4.4. for each business organization, audited financial statements (audited if applicable) for the past three (3) years; 1.4.5. source and amount of funds used in the exercise of appropriation as defined in Article 9, paragraph 3.4, of this Regulation; and 1.4.6. signed notarized agreement on change of ownership of shares. 1.5. for appointment of directors and senior managers 1.5.1. the documentation referred to in Article 9, paragraph 3, sub-paragraph 3.9, of this Regulation. 1.6. for appointment of the external auditor: 1.6.1. the proposal of the payment system operator for the appointment of the external auditor; 1.6.2. audit program; 1.6.3. description of resource utilization during the audit service; 1.6.4. an external auditor's engagement letter or service contract; 1.6.5. a document certifying the sufficient experience of the external auditor or his staff who carries out an audit in the field of audit of financial institutions; 1.6.6. certification issued by the Kosovo Financial Reporting Council (KFRC) regarding the results of the latest quality control for the external auditor (this certificate will not be required by the CBK until the KFRC can issue such a certificate); and 1.6.7. a written statement by the external auditor on the fulfilment of the principles of professional ethics set forth by the International Federation of Accountants in the Code of Ethics for Professional Accountants; 1.6.8. the requirements under the provisions of this subparagraph shall be submitted to the CBK before June 30 of each year. 1.7. for change of payment system rules: 1.7.1. proposal of amendments to the payment system rules; 1.7.2. explanation of amendments to system rules and an assessment of their impact on risk management within the payment system; 1.7.3. the corresponding draft regulation according to the version with the proposed changes. 1.8. for subcontracting of activities: 1.8.1. decision of the Board of Directors of the payment system operator on subcontracting of activities;

15 of 24 1.8.2. description of the activity the payment system operator intends to subcontract as well as the conditions that the potential recipient of the subcontracted activity must meet and the duration of the activity subcontracting; 1.8.3. data on the potential recipient of the activity subcontracting, including: name, business registration certificate, qualifications, financial reports for the last three years (if applicable under the applicable financial reporting legislation), address, telephone number, fax, e-mail address, official website, name, last name and contact details of the authorized person for representation of the potential recipient of the subcontracted activity; 1.8.4. contract or draft contract with the subcontractor through which the operator subcontracts his activity to another person; 1.8.5. documents confirming the experience of the subcontracted activity recipient with same activities as the subcontracted activity of the payment system operator (if any); 1.8.6. documentation confirming any other experience of the recipient of the subcontracted activity. 1.9. for distribution of dividends: 1.9.1. decision of the shareholder and the Board of Directors for dividend distribution; 1.9.2. forecasts related to balance sheet, statement of income, base capital, on a monthly basis for the next 12 months, reflecting the potential dividend payment; 1.9.3. audited financial statements for the last 3 years. 1.10. The CBK may require additional documents other than those specified in this paragraph. 1.11. The request for the approval of the above mentioned transactions and the documentation attached to the request must be submitted by the payment system operator and must be in one of the two official languages of the Republic of Kosovo either in original or in a notarized copy. In the case of documentation issued by relevant official authorities in foreign countries other than the Republic of Kosovo the documentation must be legalized by the competent authorities. 2. The CBK shall approve the requests set forth by the payment system operators for transactions under paragraph 1 of this Article only if the following criteria are met: 2.1. for changes to the founding document and/or statute; 2.1.1. that the changes are not in contradiction with the legislation in force, depending on what the change is about. 2.2. for increase of share capital: 2.2.1. that it consists of a legitimate source of capital funds. 2.3. for reduction of share capital: 2.3.1. the impact of such reduction on the payment system operator, including but not limited to the impact of the reduction on the financial sustainability of the payment system operator, its ownership structure and the suitability of the shareholders.

16 of 24 2.2. all transactions and actions related to share capital that result in the change of the list of shareholders who hold ten percent (10%) or more of the share capital and/or voting rights in the organization; 2.3.2. the proposed appropriation is assessed according to the same criteria that apply to the approval of a payment system operator's request for licensing with respect to shareholders, including but not limited to the expected effects of the proposed acquisition on the financial viability of the system operator payments, the ownership structure of the payment system operator and the impact that this appropriation may have on the supervision of the payment system operator by the CBK. 2.4. for appointment of directors and senior managers: 2.4.1. the criteria set out in Article 20, paragraph 3, of this Regulation shall apply; 2.5. for appointment of the external auditor: 2.5.1. the external auditor should be licensed in Kosovo; 2.5.2. the external auditor should have at least three (3) years experience in the field of audit of the financial statements of financial institutions or whose staff performing such audits have such experience; 2.6. change of payment system rules: 2.6.1. payment system rules should be prepared in accordance with the Law on Payment System. 2.7. for subcontracting of activities: 2.7.1. the criteria set out in the Law on Payment System shall apply; 2.8. for distribution of dividends: 2.8.1. when deciding to approve such a request, the CBK shall assess the impact of this request on the NBFI, including but not limited to the expected effects on NBFI's financial viability and their position in the NBFI industry. CHAPTER IV TRANSACTIONS REQUIRING NOTIFICATION TO CBK Article 19 Notification obligations

1. The payment system operator shall immediately notify the CBK in the cases of: 1.1. insolvency or interruption of the activity of participants in the system; 1.2. problems in the functioning of the system, including corrective measures taken;

17 of 24 1.3. assessment that there are justified reasons for interrupting or suspending any of the system activities; and 1.4. any changes to the list of system participants. 2. The Operator shall notify the CBK within 30 (thirty) calendar days concerning: 2.1. changes in the organizational structure; 2.2. change of address and/or contact data; 2.3. the discharge/resignation of any director and/or senior manager; 2.4. re-appointment of senior directors and managers; 2.5. changes in the content of contracts with participants and contracts with other operators. 3. The payment system operator shall notify the CBK at least 30 (thirty) days in advance of any change in the fees applied to the participants, the method of their calculation and the justification for such changes. CHAPTER V ORGANIZATION, MANAGEMENT AND ADMINISTRATION OF PAYMENT SYSTEM OPERATORS Article 20 Payment system governance

1. The activities of a payment system operator shall be governed and managed by and under the direction of its executive organs, in accordance with the Law on Payment System, this Regulation and the Statute of the institution. The payment system operator must act in accordance with accepted principles of good governance to ensure that the institution's business is conducted safely and securely. The payment system operator shall comply with all applicable regulations and orders issued by the CBK.
2. The payment system operator shall be governed by the Board of Directors appointed by the shareholders or owners and shall consist of a number of not less than (3) three members of different education backgrounds, of which the majority shall be independent and non-executive.
3. Directors and senior managers of payment system operators shall meet at least the following criteria: 3.1. have a university degree in economics, information technology, law or other relevant field; 3.2. have professional experience of no less than 3 (three) years in the banking and/or financial sector or in any relevant other area and/or considered appropriate by the CBK; 3.3. have a high ethical and professional reputation; 3.4. have not been discharged from a financial institution by the CBK; 3.5. have not been convicted by a criminal court for a criminal offense with imprisonment of one year or more, where no fine option existed; 3.6. have not been convicted of an economic crime or found guilty of criminal offenses under the Criminal Code;

18 of 24 3.7. have not been discharged or suspended by the competent authority from the exercise of the profession; 3.8. have not caused or were not responsible for the bankruptcy of any entity exercising economic activity; 3.9. have not been subject to insolvency or bankruptcy filing procedures, and be relieved of payment of past property liabilities. 4. The Board of Directors and its members may delegate tasks but may not delegate their responsibilities to others. 5. The Board of Directors must appoint the Chief Executive Officer or General Manager and other senior managers. The steering board must meet at least twice a year. 6. 8. This Article shall not apply in the case where the payment system operator is a bank or NBFI registered for the exercise of the activity of payment or issuance of electronic money. Article 21 Committees

1. The Board of Directors of the payment system operator shall be assisted by at least two committees for auditing, risk management, organization, administration and control functions: 1.1. the audit committee which is comprised of and chaired by an independent member of the board of directors and at least one member of the audit committee should be an external expert in the field of accounting or auditing; and 1.2. risk management committee.
2. The Board of Directors' committees of payment system operators shall be composed only of members of the Board of Directors, with the exception of the Audit Committee, at least one member of which shall be an external expert in the field of accounting or auditing.
3. The CBK may require payment system operators to have additional committees other than those set out in this Regulation.
4. Payment system operators may establish additional committees other than those set out in this Regulation as well as other committees within the senior management.
5. Regular meetings of the committees shall be convened according to the schedule set by the Board of Directors. Extraordinary meetings may be called by two members of the Board of Directors or by two members of the committee. A member of the Board of Directors may serve in more than one committee.
6. This Article shall not apply in the case where the payment system operator is a bank or NBFI registered for the exercise of the activity of payment or issuance of electronic money.

19 of 24 Article 22 Chief Executive Officer

1. The daily operations of the payment system operator are the responsibility of the Chief Executive Officer/General Manager appointed by the Board of Directors. The Chief Executive Officer cannot serve simultaneously as the chairperson of the Board of Directors.
2. This Article shall not apply in the case where the payment system operator is a bank or NBFI registered for the exercise of the activity of payment or issuance of electronic money. CHAPTER VI PAYMENT SYSTEM SUPERVISION Article 23 Principles regulating the system operator’s activity
3. The payment system operator shall carry out its activity in accordance with the best international standards and practices of the European Central Bank (ECB) and the International Banking Regulations (BIS), guided by prudent management principles.
4. In exercising prudent management, the system operator shall: 2.1. take appropriate measures to limit the risks; 2.2. ensure high levels of transparency; and 2.3. take measures for the continuous and efficient functioning of the system.
5. The payment systems classified payments of systemic importance by the CBK shall comply with the Financial Market Infrastructure Principles of the Bank for International Settlements (BIS).
6. The CBK shall, for the purposes of overseeing systems licensed under this Regulation, make public supervision policies and specific procedures for system supervision depending on the importance it attaches to the stability of financial markets. Article 24 Record keeping
7. System operators shall keep all relevant activity records for the purpose of the Law on Payment System and this Regulation for at least five (5) years.
8. Records shall be kept in a medium that enables the retention of information in a manner that is accessible for future reference by the CBK and in that form and manner ensuring the fulfilment of the following conditions: 2.1. the CBK should be able to access such records without difficulty and verify each key stage of processing of any payment/settlement; 2.2. any correction or change should be made possible and the contents of the records prior to such correction or amendment should be readily verifiable; and

20 of 24 2.3. it should not be possible for the records to be manipulated or amended in other ways. Article 25 Financial reports and auditing

1. Payment system operators shall keep accounts and records and prepare annual financial statements that are adequate to reflect their activity and financial standing in accordance with International Accounting and Financial Reporting Standards.
2. Accounts and financial statements shall be prepared in such form and detail as well as in accordance with International Accounting Standards and Financial Reporting Standards.
3. Payment system operators are required to prepare and submit all reports and statements, including monthly, quarterly and annual reports of the financial statements, in a format specified by the CBK.
4. Payment system operators shall carry out the annual audit in accordance with the International Accounting and Financial Reporting Standards. The external auditor should be approved in advance by the CBK.
5. The payment system operator shall have an internal auditor. This function may also be subcontracted by a company specialized in the provision of these services. The internal auditor should be approved in advance by the CBK. Duties of internal auditors may be specified by a CBK regulation or order.
6. If deemed necessary, the CBK reserves the right to ask the payment system operator to establish an internal audit function within its structure, excluding the possibility of contracting the internal audit. Article 26 Reporting to CBK
7. The payment system operator shall submit to the CBK annually the external auditor's report together with the financial statements and a special annex in accordance with Article 25 of this Regulation.
8. At latest within 4 months after the end of the financial year, namely by April 30, the payment system operator shall submit to the CBK the external auditor's report and management letter for the previous financial year.
9. The payment system operator shall submit to the CBK monthly information on the system's activity in relation to: 3.1. the number and value of the processed transactions; 3.2. other information provided by CBK sub-legal acts.
10. The CBK may request from the operator other regular or ad hoc reports on specific issues that the payment system operator should make available to the CBK whenever it is required.

21 of 24 Article 27 Annex of the external auditor’s report

1. The external auditor's report together with its annexes shall be submitted to the CBK at the latest within 4 months after the end of the financial year, i.e. by 30 April.
2. The special report of the external auditor contains: 2.1. assessment of compliance with risk management rules: 2.1.1. the external auditor controls and assesses the compliance of the payment system risk management rules in accordance with this Regulation; 2.1.2. the external auditor assesses the adequacy of risk management systems; 2.2. Assessment of the internal control system; 2.3. Evaluation of the information management system. Article 28 Data publication by the payment system
3. The system operator shall publish and update on its official website basic information and data on the system it operates, in particular: the name of the payment system, the financial statements and key features, the operator's headquarters and the system participants and all fees applied for participation in the system.
4. The operator shall ensure that system participants and potential participants have access to documentation, information and data regarding the rights and obligations of system participants and risk management in that system. Article 29 Payment system supervision
5. Payment systems operating under this Regulation, including operators and any third parties to which part of the services are subcontracted shall be subject to supervision by the CBK.
6. Payment system operators, participants and other persons subject to supervision are obliged to allow the CBK to exercise the supervision process, to refrain from actions that may hamper the CBK and to provide all information and cooperation established by this Regulation or required to carry out supervision by the CBK or persons authorized by the CBK to oversee the payment system or operators.
7. The CBK may cooperate with other public authorities engaged in the regulation and supervision of financial institutions and other entities that are directly or indirectly involved in the functioning of the payment system in Kosovo.
8. The CBK may exchange information with such authorities and persons and notify the relevant findings during the supervision activity.

22 of 24 5. The CBK may cooperate with the authorities of other countries in overseeing payment systems. The CBK has the right to share information with these authorities and persons and to notify them of relevant findings during supervision activities. 6. The CBK shall, through the Payment System Supervision Policy and relevant regulations, specify in detail the principles and the ways of supervision. Article 30 Access to information

1. The CBK may require payment system operators, any participant or other person acting on behalf of the payment system operator to provide within the period specified in the request of the CBK all information that may required by the CBK.
2. The CBK may prepare and publish consolidated reports with information provided under this Regulation for statistical purposes, statements relating to or deriving from any information provided under this Regulation. Article 31 Examination
3. The CBK may examine any payment system operator as part of the licensing process and on a periodic basis as part of its supervision. This can be done with or without a written request or prior notice.
4. In such cases, the CBK has the authority to examine and collect books, equipment or other items as necessary to ensure compliance with the CBK's definitions and has the right to interview the staff.
5. The CBK may appoint independent external experts or its officials to participate in the meetings of the governing bodies of the payment system operators. Such authorized officials may provide opinions and recommendations that are recorded in the minutes of the meetings. Article 32 Payment system supervision measures
6. If the CBK ascertains a violation in the payment system operator's activity, the CBK may, depending on the nature and importance of such violation: 1.1. Issue a written warning and/or provide mandatory instruction to the operator and/or payment system participants; 1.2. Oblige the operator and/or participants to terminate and correct the violations within a certain timeframe; 1.3. Order the operator to exclude a participant designated by the payment system if the participant does not respect the system requirements or rules;

23 of 24 1.4. Instruct changes to system rules; 1.5. Allow the operator to carry out, at his own expense, the internal or external audit of the system or its participants; 1.6. Impose a monetary penalty on the operator and/or payment system participant as defined by the Law on Payment System; 1.7. Impose a temporary ban on the payment system operator to engage in the payment system activity; 1.8. Revoke the operator’s license. Article 33 Confidentiality

1. The persons authorized by the CBK to oversee payment systems and payment operators are obliged to respect professional confidentiality regarding information obtained during the exercise of the functions. Based on information obtained from supervision activities, the CBK may provide summary information to a third party without identifying operators and specific persons.
2. Information obtained during supervision may be used only by authorized persons in the performance of their work responsibilities and in legal proceedings relating to an action against a decision issued by the CBK as regards the supervision of systems or similar procedures.
3. The CBK may provide to a supervisory authority of another country the information obtained during the supervision process.
4. Authorities and persons, other than those provided for in paragraph 3 of this Article, may be provided with any information provided that such authorities and persons have the obligation to protect the information and to respect confidentiality.
5. Any information provided under this Article: 5.1. shall be used only for specific purposes or for the procedure for which this information is made available; 5.2. when provided to another country, it should only be in summary or aggregated form.
6. The CBK may, in accordance with the applicable arrangements, request all the information necessary for its supervision activities by the supervisory authorities of other countries. Article 34 Transitory provisions For the licensing procedures of payment system operators and the procedures for reviewing applications for the approval of transactions under Article 17, paragraph 1, of this Regulation, the

24 of 24 manual for the registration of microfinance institutions and non-bank financial institutions shall apply mutatis mutandis, unless otherwise determined by the CBK. Article 35 Violations and remedial measures Any violation of the provisions of this Regulation shall be subject to remedial measures and civil penalties, as defined in the Law on Central Bank of the Republic of Kosovo and the Law on Payment System. Article 36 Entry into force This Regulation shall enter into force 15 days after its approval by the Central Bank Board. Flamur Mrasori Chairman of the Board of the Central Bank of the Republic of Kosovo