On November 14, 2024, banking and finance experts from Albania, Austria, Bosnia and Herzegovina, Bulgaria, North Macedonia, and Poland sat down for a virtual round table moderated by CEE Legal Matters Managing Editor Radu Cotarcea to discuss digitalization and the impact of tech on the banking sector in CEE.
Round Table Participants:
-
Sabina Lalaj, Partner, Lalaj & Partners
-
Roman Hager, Partner, Act Legal Austria
-
Dino Aganovic, Director, IQR Asset Management
-
Tsvetan Krumov, Partner, Schoenherr Bulgaria
-
Dragan Lazarov, Managing Partner, Law Office Lazarov
-
Justyna Jamrozy, Counsel, Greenberg Traurig
CEELM: How is digitalization, along with key technological innovations, reshaping the banking sector in the CEE region?
Krumov: Bulgaria is quickly implementing new technologies, and digitalization, in particular, is certainly progressing here. All financial institutions now offer online banking, various payment options, and mobile services. We have a large number of fintech financial service providers, mostly entering under the European freedom to provide services, often from more digitally advanced EU countries. However, they’re not fundamentally changing the banking landscape, as their focus is mainly on payments rather than full banking services. Traditional banking functions, especially corporate credits, are still firmly within the banks’ domain, while NBFIs specialize mostly in consumer credits. So, while new entrants from the EU and NBFIs are bringing some change, core banking services remain largely the same. But with emerging tech like AI and cryptocurrencies, we’re seeing more regulatory developments and evolving client demands.
Hager: Vienna has traditionally been at the forefront of banking innovation, and we’re seeing massive shifts in the industry. Over the past decade, there’s been a steady influx of fintech companies, including payment service providers and P2P lending platforms. Large banks are actively collaborating with these new players, not only within Austria but also across the region. We’ve seen smaller banks transform into digital-only banks – some even sold off their branch networks to focus purely on digital services. Now, many banks use primarily digital channels to communicate with clients, and digital platforms are sophisticated, user-friendly, and handle operations well. We also have major international digital banks, like Revolut and N26, entering the space, which is driving even more change.
Jamrozy: Digitalization is having a significant impact on the Polish banking sector. Traditional banks here are heavily investing in digital platforms to improve customer service and operational efficiency. For example, mBank, a leading Polish bank and a subsidiary of Germany’s Commerzbank, has pioneered mobile banking applications, AI integration, and online loan services. One standout innovation is the BLIK payment system, developed by the largest Polish banks and widely adopted as a popular payment method in the country. These developments highlight how digital solutions are becoming central to the Polish banking experience.
Lalaj: Digitalization is also pushing traditional banks in Albania to adapt. The Albanian bank sector has undergone significant changes in the last years, from 16 banks there are currently 11 in the country due to mergers or voluntary liquidation. Not fintech entrants are incentivizing banks to enhance their digital payment services, like mobile and online payment applications, which are particularly appealing to the younger, tech-savvy generation. We’re seeing a similar trend in Kosovo. While most changes have focused on payment services so far, there’s now a push from banks to improve other real-time financial services, including loan-related services, aiming to boost efficiency and stay competitive in an evolving market.
Lazarov: In the non-EU CEE countries, including North Macedonia, digital transformation in retail banking started a while ago, but more advanced innovations are only gradually being implemented. Here, traditional barriers, along with lower financial literacy levels, often slow down the adoption of new technologies. For example, while we have PSD2 legislation that allows electronic transfers, broader platforms like Revolut are still not permitted. Despite high interest in innovative technology from younger customers, regulatory limitations mean that the full potential of digital banking remains largely untapped. Banks are using available technology, but progress is very incremental due to the restricted market environment.
Aganovic: As everywhere, new technologies are simplifying everyday life in Bosnia and Herzegovina. Mobile and internet banking is a new standard, and almost everything can be done online. Banking risk functions have been enhanced by technology by most which is also reflected in a low level of NPL. However, the entire system is still wired in a manner that one still needs original documentation with a signature and stamp, so for example if you do make a payment online and want to provide valid evidence to a court you still need a printout certified by a bank physically. Digital signature legislation is still not implemented and for a lawyer, technology has not been used to its full potential – not strictly restricting this thought to the banking sector.
CEELM: Aside from that, as a standing question: fintech companies are carving up market shares from banks – are there any threats in your jurisdiction?
Hager: In Austria, we have a strong virtual asset broker called Bitpanda, which has become quite influential in this space. It’s an area where fintech companies have a clear advantage over traditional banks, which are now starting to take an interest – one of the large banks here is actively exploring the potential of digital assets. Another interesting development, is in the retail sector, particularly in securities trading. This shift is a real competitive challenge for traditional banks, as fintech companies are well-positioned to serve this demographic with innovative, accessible trading platforms.
CEELM: In light of that, how has the regulator reacted so far? What about the established banking sector? Do you see active efforts for the regulator to change its approach?
Krumov: Bulgarian regulators have a relatively conservative approach to implementing EU financial services regulations. Under the EU’s freedom to provide services, however, the regulatory responsibility lies mainly with the home country of the provider, meaning the Bulgarian National Bank and the Financial Supervision Commission are mainly limited to informing the regulator in the foreign fintech provider’s home state. In addition to this, although Bulgarian regulators do not have specific guidelines as to when fintech financial services are deemed to be provided in Bulgaria, as well as – when the level of cross-border provision of financial services would not be tolerated anymore, and a requirement to set up a Bulgarian branch is triggered, their approach in practice to foreign fintech companies is quite liberal. This domestic regulatory environment with a quite high level of tolerance towards cross-border provision of financial services has led to an influx of fintech service providers from countries with a more flexible approach to regulatory requirements, quickly getting market share in Bulgaria. However, as opposed to other EU countries, such fintech companies are still not active in providing loans in Bulgaria. When they expected to start doing so, foreign fintech companies would primarily focus on lower-scale loans. So, overall, the regulatory environment will continue to allow foreign players to fill specific niches, maintaining a relatively small share of fintech companies in classic banking services.
Jamrozy: In Poland, fintech companies like Revolut and PayPal are gaining traction by offering faster and more convenient services. To keep up, the Polish Financial Supervision Authority has set up a regulatory sandbox to encourage innovation by allowing fintech companies to test new products. Current regulations focus on customer protection, data privacy, and cybersecurity, with the added aim of safeguarding online lending practices. Traditional banks are responding by investing in fintech solutions themselves, and some are even considering acquisitions to gain access to innovative technology. Overall, the regulatory approach here is cautious but supportive, aiming to balance innovation with consumer protection.
Lazarov: In our jurisdiction, regulatory responses have often been reactive, especially when cases of personal data misuse have surfaced. Interestingly, many of these abuses came through traditional, rather than digital, communication channels. The regulator, which is led by the Ministry rather than the central bank, has been active, but limited resources mean that oversight can be inconsistent. New legislation has been introduced, but there’s a thin line between regulation and overregulation, and too much scrutiny could stifle progress. Ideally, regulators would find a balance that protects consumers while allowing fintech and AI to develop, especially as AI has been more effective than manual efforts in areas like AML detection.
Lalaj: In Albania, the government has taken steps to support fintech companies and online banking, with several changes passed in legislation. The law on payment services was introduced in 2020 to enable the licensing and operation of payment institutions to operate. This aligns with Albania’s broader goal of integrating with the Single Euro Payments Area. However, there are ongoing cybersecurity concerns, especially as the government and banks weigh the risks of opening up to fintech companies. The Albanian authorities are working closely with stakeholders to enhance security and regulatory standards, but there’s still uncertainty about how safe the integration of fintech companies into the traditional banking system will be.
Aganovic: Unfortunately, in Bosnia, the regulatory focus is mainly on traditional banks and microfinancing institutions, with limited oversight of fintech companies. The regulator seems reluctant to extend its scope to fintech, which affects uniformity in how financial laws are applied, as different courts of Bosnia interpret EU-derived regulations inconsistently. Fintech companies here are mostly involved in streamlining processes, like risk management, which reduces the subjective role of bank personnel. While digitalization speeds up banking operations, it hasn’t significantly impacted the legal field yet, since we still rely on physical documentation in court. Although banking is advancing digitally, the judicial system lags behind. As I described earlier, even if you receive an online confirmation for a transaction, it’s not recognized in court without physical signatures and bank stamps, so we still face a long road toward fully embracing digital transformation.
CEELM: A topic that you all touched upon is cybersecurity. Do you think the banking sector is doing much on cybersecurity?
Jamrozy: In Poland, banks are investing heavily in advanced technologies for cybersecurity, but they also have to ensure that these efforts align with data protection and privacy laws. This means implementing robust data governance frameworks that protect customer information while adhering to privacy regulations.
Aganovic: Banks in Bosnia have top-notch IT infrastructures and work closely with major providers like Mastercard and Visa for high-tech security. However, if there’s fraud or cybercrime within Bosnia, local authorities still handle investigations, and there are limitations. For instance, recent cases, like a prank involving bomb threats, exposed gaps in local law enforcement’s cybersecurity capabilities. Although banks themselves follow high standards, state institutions haven’t fully kept pace.
Krumov: At the EU level, the 2016 cybersecurity legislation requires banks to comply with international cybersecurity standards and requires them to notify authorities about incidents. This field is evolving not only due to technological progress but also because of the political focus on cyber threats, especially from non-EU countries. A recent EU directive on cybersecurity was due for transposition by member states on October 17, but Bulgaria hasn’t implemented it yet. Overall Bulgarian banks rely on guidance from their parent banks when implementing cybersecurity regulations and consult domestic law firms on specific ambiguous points. We primarily encounter these issues in due diligence reviews for other entities subject to cybersecurity regulations.
Hager: Cybersecurity and digital resilience are top priorities for banks and financial institutions in Austria, especially as new EU regulations like DORA and MiCA come into play. There’s a considerable amount of work underway to strengthen cybersecurity frameworks in line with EU standards.
Lalaj: Albania introduced a cybersecurity law in 2017, and a new country strategy has been approved for the period 2024-2028, while the country is getting ready for EU membership and is working to align its legislation with the EU acquis. The Bank of Albania and other stakeholders in charge of cybersecurity are cautious while progressing on the integration in the market on this front, and cybersecurity remains a key topic in their discussions. Albania is aiming to follow best practices from the EU to bolster protections against cyber threats.
Lazarov: For us, cybersecurity in banking is driven more by necessity than regulation. The recent formation of a Ministry of Digitalization highlights the country’s increasing focus on cybersecurity. While banks were proactive before, recent high-profile breaches with Mastercard and Visa through European banks have made them more vigilant. This focus on cybersecurity is more about protecting their business and customers than complying with regulatory mandates.
CEELM: Lastly, if you had to pick one big element that will impact banking in your jurisdiction in 2025, what would it be?
Lalaj: For us, open banking is going to be the biggest shift. The government is driving this change, and as fintech companies expand their services and operating areas, they’re likely to become more ambitious in the market. This push will bring new risks, especially around data protection, as banks and non-banking entities ramp up investments in security and privacy. Additionally, a new data protection law, aligned with GDPR, will add compliance demands for banking and non-banking players, which may challenge the market with extra regulatory requirements.
Aganovic: In Bosnia, we don’t anticipate any substantial shifts or investments in the banking sector due to ongoing political challenges. Unfortunately, this isn’t a very friendly environment for investment right now, so we’re mainly following broader EU trends without expecting big local changes.
Lazarov: With PSD2 already in place for two years, we’re now seeing new financial instruments legislation coming into play, marking a phase of compliance and adaptation. The sector is slowly opening to European markets, and although legislation may lag, industry developments are dynamic. Compliance should serve as a baseline rather than a barrier, so we’re focused on progressing the sector while navigating evolving regulations. Our office is actively engaged on a societal and sectoral level to understand and shape these changes.
Krumov: In the next couple of years, the biggest shift will come from the EU’s AI Act. This regulation, effective since August 2024, requires member states to designate supervisory authorities by August next year, and by August 2026, banks will need to fully comply with it. The AI Act imposes strict standards, with disclosure requirements for AI use in client services and limitations on certain AI applications. Many banks use AI for things like call centers, but they will need to ensure transparency and certain AI systems may be banned altogether under the new regulation.
Jamrozy: In Poland, the biggest element impacting the banking sector in 2025 will likely be the integration and advancement of digital banking technologies, particularly in the context of cybersecurity and digital identity verification. As the Polish market increasingly implements digital solutions, driven by consumer demand for more convenient and accessible banking services, the emphasis will be on enhancing security measures to protect against cyber threats. This focus is crucial as the sector continues to adopt innovations like digital wallets, blockchain, and AI-driven services. Additionally, Poland is actively aligning with EU directives on digital identity, which will require banks to implement robust verification systems to ensure secure and compliant transactions. The EU AI Act will also play a significant role, mandating transparency and compliance in AI applications within banking, thus shaping the development and deployment of AI technologies. This evolution will not only reshape customer interaction but also necessitate comprehensive regulatory frameworks to safeguard data and maintain trust in digital banking. As a result, the legal landscape will need to adapt quickly to support these technological advancements while addressing new compliance challenges, making this a key area of focus for the sector.
Hager: A major factor in 2025 will be the global trend toward deregulation, especially with potential shifts in the U.S. following the recent elections. If the U.S. moves toward deregulating banking and other areas such as AI and data protection, it could have big implications for the EU, putting pressure on the European Commission and banking supervisory authorities to adopt that trend and ease up on existing regulations. Austria’s strict lending rules for real estate financings are already affecting our real estate sector, and with the economy in recession, any flexibility here would be welcomed not only by the real estate sector but also by the government and politicians. We could see unexpected shifts, so as lawyers, we’ll need to stay alert to regulatory changes as political dynamics evolve. It’s a precarious time.
