Decision on Detailed Content and Manner of Submitting Information for Payment Services Authorisation

Pursuant to Article 44 paragraph (2) item 3) of the Central Bank of Montenegro Law (OGM 40/10, 6/13, 70/17, 125/23) and Article 71a paragraph (5) and Article 72 paragraph (8) of the Payment System Law (OGM 62/13, 111/22, 15/25), the Council of the Central Bank of Montenegro, at its meeting held on 3 March 2025, passed the following DECISION on more detailed content and the manner of submitting information, data and documentation supporting the application for granting authorisation to provide payment services and acquire qualifying holding Subject Matter Article 1 This decision shall prescribe in more detail the content and the manner of submitting information, data and documentation supporting the application for granting authorisation to provide payment services, and to acquire qualifying holding referred to in the Payment System Law (OGM 62/13, 111/22, 15/25) – (hereinafter: the Law). Application to electronic money issuers Article 2 This Decision shall also apply to the procedures with respect to the applications for granting authorisations to issue electronic money. Application for granting authorisation to provide payment services and documentation supporting the application Article 3 (1) The application for granting authorisation to provide payment services shall be submitted in writing to the Central Bank of Montenegro (hereinafter: the Central Bank). (2) Information, data and documentation set forth in Article 72 of the Law and this Decision shall be attached to the application referred to in paragraph (1) of this Article, as well as an evidence on the payment of fee in accordance with the Central Bank regulation governing the amount of fee to be paid for the services performed by the Central Bank. Submission of application for granting authorisation to provide payment services Article 4 (1) A legal person submitting the application for granting authorisation to provide payment services (hereinafter: the applicant) shall provide to the Central Bank with an application for granting authorisation to provide one or more payment services, which includes at least the following data: 1)name, the abbreviated name and the address of the head office of the applicant; 2)an address for receiving electronic mail, and webpage of the applicant, if available; 3)name and last name and telephone number of the person authorised to communicate with the Central Bank in the process of granting authorisation to provide payment services; 4)types of payment services subject to the application for granting authorisation to provide payment services;

5)list of documentation to be attached. (2) The documentation to be attached to the application referred to in paragraph (1) of this Article shall be prepared in Montenegrin language, and attached in original or certified copy, and the translations certified by the court interpreter in Montenegrin language shall be submitted with the reports and confirmation of the competent authorities. (3) The confirmations of competent authorities, certified declarations and certified copies of personal identity documents may not be older than three months following the date of their issue. (4) Where, following the submission of the application referred to in paragraph (1) of this Article until the day of deciding upon the application, the changes occur that affect or may affect the accuracy, truthfulness and completeness of documentation and information, the applicant shall submit an updated documentation to the Central Bank. Business programme Article 5 (1) A business programme referred to in Article 72 paragraph (2) item 2) of the Law should contain at least the following information and data:

1. a detailed description of all types of payment services that the applicant intends to provide as a payment institution, including an explanation of how the activities and the operations that will be provided are identified by the applicant as fitting into any of the categories of payment services referred to in Article 2 paragraph (1) of the Law;
2. a declaration of whether the applicant will at any point enter into possession of funds of the payer;
3. a description of the execution of the payment services, detailing all parties involved in the execution of each payment service provided:

• a diagram of flow of funds, in the execution of payment service;
• settlement arrangements of payment transactions;
• draft contracts between all the parties involved in the provision of payment services including those with payment card schemes, if applicable;
• processing times;

4. draft framework contract made in accordance with Article 21 paragraph (2) of the Law;

5. the estimated number of different locations from which the applicant intends to provide the payment services, and/or carry out activities related to the provision of the payment services, if applicable;

6. a description of any ancillary activities to the payment services, if applicable;

7. a declaration of whether the applicant intends to provide payment services with granting loans and, if so, within which limits;

8. a declaration of the applicant of whether it provides or intends to provide, for the next three years, other business activities, including a description of the type and expected volume of the activities. (2) The information referred to in paragraph (1) item 3) indents 1 and 2 of this Article shall not be submitted if the applicant requires authorisation only to provide payment initiation payment services. Business plan Article 6 The business plan referred to in Article 72 paragraph (2) item 3) of the Law should contain the following information, data and documentation:

9. a marketing plan consisting of an analysis of the applicant’s competitive position in the payment service market and a description of the target groups of the payment service users, marketing materials and distribution channels;

10. certified annual financial statements of the applicant for the previous three business years, or for the period for which they are available, and when the authorisation for the hybrid payment institution is required, for the last two business year or from the day of their establishment if the hybrid payment institution has been operating for shorter period;

11. a forecast of the operations for the first three fiscal years that should include:

• an income statement and balance sheet forecast, using the templates prescribed for compiling the financial statements, as well as their base assumptions - volume and value of transactions, number of payment service users, pricing, average amount per transaction, expected increase in profitability threshold;
• explanations of the main lines of income and expenses, the financial debts and the fixed assets;
• a diagram and detailed projections for the next three years using the template prescribed for the report on cash flows;

4. projections of own funds and minimum requirement for own funds for the next three business years made in accordance with the Central Bank regulation governing the method of calculating own funds of payment institutions, unless the applicant is the payment service provider referred to in Article 78 paragraph (6) of this Law. Description of the proposed measures to safeguard payment service users' funds Article 7 (1) An applicant shall, together with the description of the proposed measures to safeguard payment service users' funds referred to in Article 72 paragraph (2) item 5) of the Law, submit a declaration of the method selected for safeguarding payment service users' funds in accordance with Article 79 of the Law. (2) Where the applicant intends to safeguard the payment service users’ funds through depositing funds in a separate account in a credit institution or through an investment in liquid and low-risk assets, the description of the safeguarding measures should also contain the following information and data:

5. the number of persons that have access to the safeguarding account and their functions;

6. a description of the administration and reconciliation process to ensure that payment service users’ funds are insulated in the interest of payment service users against the claims of other creditors of the payment institution, they may not be subject to execution or enforced collection implemented against the payment institution or they are not included in the winding-up or bankruptcy estate of that payment institution;

7. a draft contract with the credit institution;

8. a description of the investment policy to ensure the assets chosen are liquid and low risk, if applicable; (3) Where the applicant safeguards the funds of the payment service user through an insurance policy from an insurance undertaking or secure them through a banking guarantee, the description of the measures for safeguarding the funds of the payment service user should contain the following:

9. a confirmation that the insurance policy or banking guarantee has not been issued by an insurance undertaking or a credit institution that is not part of the same group as the applicant;

10. details of the reconciliation process in place to ensure that the insurance policy or banking guarantee is sufficient to meet the applicant’s safeguarding obligations at all times;

11. duration and renewal of the coverage;

12. a copy or the draft insurance agreement or banking guarantee. (4) The information referred to in paragraphs (1), (2) and (3) of this Article shall not be submitted where the applicant applies for authorisation only to provide payment initiation services or account information services. Description of the envisaged governance framework and procedures Article 8 A description of the envisaged governance framework, including administrative, accounting and risk-management procedures referred to in Article 72 paragraph (2) item 6) of the Law should also contain the following data and information:

13. a mapping of the risks identified by the applicant, including the type of risks and the procedures the applicant will put in place to assess and prevent such risks, as well as to manage such risks;

14. an overview of the procedures to carry out periodical and permanent controls including the data on the frequency of such controls and the human resources allocated;

15. the data on auditors the payment institution intends to engage that are not statutory auditors in accordance with the law;

16. data on the composition of the management body and, if applicable, of any other oversight bodies;

17. a description of the way outsourced functions are monitored and controlled so as to avoid an impairment in the quality of the payment institution’s internal controls;

18. where the applicant is the subsidiary undertaking of a regulated entity in another state, a description of the group governance. Description of the procedures in place to monitor, handle and follow up a security incident or security related customer complaints Article 9 A description of the procedures in place to monitor, handle and follow up a security incident or security related payment service user’s complaints referred to in Article 72 paragraph (2) item 7) should also contain, in particular:

19. organisational measures and tools for the prevention of fraud;

20. details of the persons or organisational units responsible for assisting customers in cases of fraud, technical issues and/or claim management;

21. reporting lines in cases of fraud;

22. data on person responsible for customers (name and last name of that person, and an email address;

23. the mechanism or the procedures for the reporting of incidents, at both, internal and external level, including the reporting to the Central Bank on incidents in accordance with the decision governing the reporting on significant operational and security incidents;

24. the monitoring tools used and the follow-up measures and procedures in place to mitigate security risks.

Description of the process in place to file, monitor, track and restrict access to sensitive payment data Article 10 A description of the process in place to file, monitor, track and restrict access to sensitive payment data referred to in Article 72 paragraph (2) item 8) shall contain the following information and data: (1) a description of the flows of data classified as sensitive in the context of the applicant’s business model; (2) the procedures in place to authorise access to sensitive payment data; (3) a description of tools for monitoring the access to sensitive payment data; (4) the policy on right to access sensitive payment data, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures; (5) unless the applicant intends to provide payment initiation service only, a description of how the collected data are filed; (6) unless the applicant intends to provide payment initiation service only, the expected internal and/or external use of the collected data, including by counterparties; (7) the IT system and technical security measures that have been implemented including, encryption and/or tokenisation; (8) identification of persons, organisational units and/or other groups of persons that may have right to access the sensitive payment data; (9) an explanation of how breaches will be detected and addressed; (10)an annual internal control programme in relation to the safety of the IT systems. Description of the business continuity arrangements Article 11 A description of the business continuity arrangements referred to in Article 72 paragraph (2) item 9) of the Law shall also contain the following information and data:

1. business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, data recovery point objectives and protected assets;

2. the identification of the back-up site, access to IT infrastructure, and the key software and data to recover from a disaster or disruption;

3. an explanation of how the applicant will deal with significant business continuity events and/or disruptions, such as the failure of key systems, the loss of key data, the inaccessibility of the premises, and the loss of key persons;

4. the frequency with which the applicant intends to test the business continuity and disaster recovery plans, including how the results of the testing will be recorded;

5. a description of the mitigation measures, in cases of the termination of its payment services, ensuring the execution of pending payment transactions and the termination of existing contracts. A description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud Article 12 A description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud referred to in Article 72 paragraph (2) item 10) of the Law shall also contain the following information and data:

6. the type of data that is collected, in relation to customers, type of payment service, distribution channel, instrument, and currencies;

7. the scope of the collection, in terms of the activities and customers concerned, including branches and agents;

8. the means, the purpose and the frequency of data collection;

9. a description of processes, or draft of an internal act governing the functioning of the established system for the data collection. Security policy document Article 13 A security policy document referred to in Article 72 paragraph (2) item 11) of the Law shall contain the following information and data:

10. a detailed risk assessment of the payment services the applicant intends to provide, which also includes the risks of fraud and illicit use of sensitive and personal data, a description of the security control and mitigation measures taken to adequately protect payment service users against the risks identified;

11. a description of the IT systems, which includes:

• the architecture of the systems and their network elements;
• the business IT systems supporting the business activities provided, such as the applicant’s website, wallets, the mechanism for payment processing, the mechanism for risk and fraud management, and the method of customer monitoring;
• the support IT systems used for the organisation and administration of the applicant (e.g. accounting, reporting systems, staff management, customer relationship management, e-mail servers and internal file servers);
• information on whether the applicant or its group already use the systems referred to in indents 2 and 3 of this item, and if not, the estimated date of implementation, if applicable;

3. the type of authorised connections from outside (e.g. with partners, service providers, entities of the group and employees working remotely), including the rationale for such connections;
4. for each of the external connections listed under item 3) of this paragraph, the logical security measures and mechanisms in place, specifying the control the applicant will have over such access as well as the nature and frequency of each control (e.g. technical versus organisational, preventative versus detective), and real-time monitoring versus regular reviews, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus systems and logs;
5. the logical security measures and mechanisms that govern the internal access to IT systems, which include:

• the technical and organisational nature and frequency of each measure (e.g. whether it is preventative or detective and whether or not it is carried out in real time);
• the process of client environment segregation in cases where the applicant’s IT resources are shared;

6. the physical security measures and mechanisms of the premises and the data centres of the applicant, such as access controls and environmental security;
7. the security of the payment processes, specifying:

• the customer authentication procedure used for both consultative and transactional access, and for all underlying payment instruments;

• an explanation of how safe delivery to the legitimate payment service user and the integrity of authentication factors are ensured, at the time of both initial enrolment and renewal;

• a description of the systems and procedures that the applicant has in place for transaction analysis and the identification of suspicious or unusual transactions;

8. a list of the main procedures in relation to the applicant’s IT systems and an estimated date for their finalisation. Description of the planned internal control mechanisms Article 14 A description of the planned internal control mechanisms referred to in Article 72 paragraph (2) item 12) of the Law, in the part relating to the prevention of money laundering and terrorist financing shall contain the following data and information:

9. the applicant’s assessment of the money laundering and terrorist financing risks associated with its business;

10. the measures the applicant has or will put in place to mitigate the risks and execute the obligations in accordance with the law governing the prevention of money laundering and terrorist financing, including the risk assessment, internal acts governing customer due diligence requirements, and detection of and reporting on suspicious transactions or activities;

11. a description of the systems and internal control measures the applicant has put in place to ensure implementation of the regulations in the area of the prevention of money laundering and terrorist financing requirements with its agents and in branches;

12. the method for regular professional education and training of the employees in the area of the prevention of money laundering and terrorist financing with the applicant and its agents;

13. a description or draft of the acts governing the rights and obligations of the compliance officer for the prevention of money laundering and terrorist financing and its alternate if designated, as well as requirements regarding the work experience and expertise in performing tasks for that position, in accordance with the law governing the prevention of money laundering and terrorist financing;

14. a description of measures and controls the applicant has put in place to ensure that internal procedures established for the purpose of prevention of money laundering and terrorist financing remain up to date and effective;

15. a description of measures and controls the applicant has put in place to ensure the protection against increased exposure to money laundering and terrorist financing risk through agents;

16. instructions and guidance to the employees of the applicant to implement measures to prevent money laundering and terrorist financing. Description of organisational structure Article 15 A description of the organisational structure referred to in Article 72 paragraph (2) item

17. of the Law, should contain the following information and data:

18. a detailed organisational chart, showing all organisational units, including the number of employees and descriptions of the functions and responsibilities of each organisational unit;

19. where applicable, the names of persons responsible for each organisational unit, and in particular for internal controls;

20. projections of the number of employees for the next three years and the dynamics of filling the vacancies;

21. a description of envisaged outsourcing arrangements, which also includes: -the name and address of the head office of provider of services to be outsourced, and the registered activity of that provider;

• persons that are responsible for monitoring each of the outsourced activities;
• a clear description of the outsourced activities and their main characteristics;

5. draft outsourcing agreement;
6. plans for operations through branches or agents, where applicable, including:

• measures for carrying out off-site and on-site checks on branches and/or agents and their frequency (at least annually);
• data on IT systems, the processes and the infrastructure to be used by agents;
• the selection policy of the agent, monitoring procedures and agents’ training and the draft terms of engagement governing the provision of payment services through an agent; Data on persons that have acquired qualifying holdings Article 16 (1) Data on persons that have acquired the qualifying holding referred to in Article 72 paragraph (2) item 14) of the Law, in addition to the documents referred to in Article 71a paragraph (1) of this Law, shall also include the following information and data:

1. a description of the group to which the applicant belongs and data on the parent undertaking, where applicable;
2. a chart setting out the shareholder structure of the applicant, including:

• the name of each person that has a direct holding in the capital or voting right in a legal person and the percentage of the share, identifying those that are considered as qualifying holders and the reason for such qualifications;
• the name and size of indirect holding expressed as the percentage in capital or voting rights in the payment institution, identifying those that are considered as qualifying holders and the reason for such qualification;

3. a list of persons that have qualifying holdings in the applicant, indicating for each such person:

• the number and type of shares or other holdings;
• the nominal value of such shares or other holdings.

4. where applicable, the content of all envisaged agreements that a person having a qualifying holding has with other persons holding a share in capital or voting right in the future payment institution;
5. data on members of the management body in a legal person which that person having a qualifying holding intends to nominate or propose, and which are not part of the documentation referred to in Article 17 of this Decision;
6. a declaration on whether the acquisition of the qualifying holding disables or hinders the ability of the payment institution to comply with the provisions of the Law and other regulations governing the operations of payment institutions;
7. a confirmation that the personal data for a natural person having a qualifying holding and persons responsible for managing the legal person has a direct qualifying holding may be submitted to other competent authorities for the purpose

of comprehensive assessment within the meaning of Article 73 paragraph (3) of the Law. (2) Where a person who has a qualifying holding is a natural person, in addition to data referred to in Article 71a paragraph (1) item 2) of the Law, the following shall also be submitted:

1. a copy of a personal identity document or passport;
2. a detailed curriculum vitae stating in particular information and data on acquired professional qualifications, previous professional experience and any professional activities or other functions currently performed;
3. confirmations from the competent authorities that the person has not been convicted and that no criminal proceedings are being conducted against that person for criminal offences against property, against payment operations and business operations, against legal transactions, against official duty, against the security of computer data, against labour rights, against life and limb, against humanity and other goods protected by the international law;
4. a statement that such person has not been in management position in a legal person at the time when bankruptcy or winding-up proceedings were initiated against that legal person;
5. information on administrative, civil and other proceedings in which that person is a party, other legally binding court decisions regarding that person, or information on issued licenses, authorisations, registrations and other decisions of competent authorities, including information on denied requests for their issuance, termination or withdrawal, as well as information on whether that person was in a management position in the legal person at the time when voluntary winding-up was opened against that legal person and whether that person was prohibited from exercising professional activities;
6. a list of undertakings that the person having a qualifying holding directs or controls with the percentage of direct or indirect control in these undertakings;
7. where an assessment of suitability of the person has already been conducted by a competent authority in the financial services sector, the identity of that authority and the outcome of the assessment;
8. data on the financial position of the person having a qualifying holding, including sources of revenues, assets and liabilities, security interests and guarantees, whether granted or received;
9. the list of persons deemed politically exposed persons in accordance with the law governing the prevention of money laundering and terrorist financing, which whom such a person is linked; (3) Where a person who has a qualifying holding is a legal person, in addition to documentation referred to in Article 71a paragraph (1) item 1) of the Law, the following shall also be submitted:
10. name and address of a person having a qualifying holding, address for the receipt of official mail if different than the address of head office and contact details of a responsible person;
11. the information whether a person having a qualifying holding is regulated by the competent authority in the financial services sector or by another state authority;
12. the information referred to in paragraph (2) items 3) to 9) of this Article with regard to a person having a qualifying holding;
13. a list of persons who manage, persons who are authorised to represent or otherwise perform a significant influence on the operations of a qualifying holder in

a legal person containing data referred to in paragraph (2) items 1) to 5) of this Article in respect of each such person; 5) ownership structure of the qualifying holder up to the level of a natural person that is considered to be a beneficial owner in accordance with the law governing the prevention of money laundering and terrorist financing, containing data in respect of each such person; 6) a description of regulated financial group of which the future financial institution is a part, containing data on a parent undertaking, and for undertakings in a group which are regulated entities, the names of those undertakings and the respective competent authorities; 7) for persons having a qualifying holding that are not legal persons (such as collective investment undertakings, trusts, and the like), the following information shall be provided:

• personal data on persons who manage assets and on the persons who are beneficiaries or subscribers;
• a copy of the document establishing and governing the holder including the investment policy and any restrictions on investment applicable to the holder. (4) The data of sources of funding for acquiring qualifying holding, should include the following information:

1. the use of private financial resources;
2. information on the use of borrowed funds, including the name of the creditors and conditions of the facilities granted (maturities, terms, security interests, sureties, and the like), as well as information on the source of revenue to be used by the person having a qualifying holding to repay such borrowings; where the creditor is not a credit institution or a financial institution authorised to grant loans, the information on the origin of the borrowed funds;
3. information on any financial arrangement with other persons who are shareholders in the future payment institution. Data on responsible persons Article 17 Documentation referred to in Article 72 paragraph (2) item 15) of the Law, pertaining to the members of the bodies of the future payment institution or persons who conduct business of the payment institution, the persons responsible for managing the payment institution, and the persons responsible for the provision of payment services (hereinafter: the responsible persons) shall be supported by:
4. copy of personal identity document or passport of the responsible person;
5. the name of the function, i.e. the job position supported by data on the period of performance of the function or employment, description of key duties and responsibilities, draft decision on employment or employment contract;
6. where applicable, information on the suitability assessment of the responsible persons carried out by the payment institution, including the evidence of the result of the conducted assessment;
7. evidence of adequate knowledge and experience for the provision of payment services, specifically the following: evidence that the responsible person has at least three years’ experience in conducting the operations of a business undertaking of a similar size and activity as the future payment institution, or in managing other comparable operations (curriculum vitae, including the name of

previous employers and the type of activities in which work experience was gained, and the nature and duration of the functions or employment performed with the previous employers); 5) for the executive director, a certified copy of the diploma on the degree of higher education obtained in the amount of at least 240 ECTS credits in accordance with the law governing higher education; 6) in evidence of good repute of the responsible person:

• confirmation by the competent authority that that person has not been convicted of, nor prosecuted for criminal offences against property, against payment system and the economy, against legal exchange, against official duty, against computer data security, against labour rights, against life and limb, against humanity and other goods protected by the international law;
• a statement that the person was not in a management position in a legal person at the time when bankruptcy or winding-up proceedings were initiated against that legal person;
• information on administrative, civil and other proceedings in which that person is a party and on legally binding court decisions regarding that person;
• information on issued licenses, authorisations, registrations and other decisions of competent authorities, including information on denied applications for their issuance, information on whether that person was in a management position in a legal person at the time when voluntary winding￾up proceedings were initiated in that legal person, as well as whether that person or a legal person in which they held a management position was prohibited from exercising professional activities;
• data on withdrawal of authorisation or termination of membership of that person by the regulatory body, competent authorities or by a professional body or association, termination of the employment contract, except in the case of termination of the job position to which they were assigned;
• information on whether another competent authority assessed the suitability of that person along with information about that competent authority, the date of the assessment and the results of that assessment;

7. the consent of the person whose data is being assessed that their personal data may be submitted to other competent authorities for the purpose of assessing the suitability within the meaning of Article 73 paragraph (3) of the Law. Insurance policy or a comparable guarantee Article 18 (1) The applicant intending to provide payment initiation services and/or account information services shall draw up an insurance policy or a comparable guarantee referred to in Article 72 paragraph (5) of the Law in accordance with the regulation governing the minimum monetary amount for professional indemnity insurance or a comparable guarantee against liability for the provision of payment initiation services and/or account information services. (2) The insurance policy referred to in paragraph (1) of this Article shall be supported by general and special conditions of insurance.

Authorisation to issue electronic money Article 19 A legal person intending to submit an application to the Central Bank for granting the authorisation to issue electronic money and/or provide payment services, shall prepare the documentation referred in Articles 4 to 9, and Articles 12 and 13 of this Decision taking into account both, the issuance of electronic money and payment services, if they intend to provide those services, whereat they shall:

1. define separately which activities with regard to electronic money they intend to provide (issuance, redemption, distribution);
2. segregate and define separately the manner of provision of services covered by the application;
3. prepare projections of own funds and the minimum own funds requirement in accordance with the decision governing the calculation of own funds of electronic money institutions. Application for granting authorisation to acquire qualifying holding and the documentation supporting the application Article 20 (1) The application for granting authorisation to acquire qualifying holding shall be submitted to the Central Bank in writing. (2) Article 4 of this Decision shall apply to the application and documentation referred to in this Article, except for the provision of paragraph (1) item 4) of that Article. (3) The application referred to in paragraph (1) of this Article shall be supported by information, data and documentation as prescribed in Article 71a of the Law, and documentation referred to in Article 16 of this Decision, as well as the evidence of payment of the fee in accordance with the regulation of the Central Bank determining the amount of the fee for the services provided by the Central Bank. Entry into force Article 21 This Decision shall enter into force on the eighth day following that of its publication in the “Official Gazette of Montenegro”. THE COUNCIL OF THE CENTRAL BANK OF MONTENEGRO Decision no. 0101-1815-2/2025 Podgorica, 3 March 2025 CHAIRPERSON GOVERNOR Irena Radović, m.p.